Bug#510417: links2: silently accepts bad SSL certificates

Wed, 25 Mar 2009 06:49:43 -0700 

* Neil Moore [Thu, 01 Jan 2009 11:57:35 -0500]:

> Package: links2
> Version: 2.2-1
> Severity: grave
> Tags: security
> Justification: user security hole

Hello, Neil. I’m sorry I’m not mailing you to help solve this bug, since
I’m not the maintainer of links2.

I do release management in Debian, and I’m interested in knowing whether
this bug affects 2.1pre37-1.1, which is currently in stable (and testing).
Do you know if that is the case? Could you perhaps check?

Thanks,

> Links2 does not validate certificates it receives; as a result, there is
> no warning that one is visiting a page with an expired certificate, a
> certificate not signed by a trusted authority, or a certificate for the
> wrong hostname.  As a result, an attacker capable of intercepting one's
> packets can launch a man-in-the-middle attack to obtain account numbers,
> passwords, etc.

> At the very least, the documentation should prominently warn that
> links2's HTTPS support is not to be relied upon for sensitive
> information.

> This is the same issue reported in bug 510348 for the (unrelated) browser
> 'dillo'.

> -- System Information:
> Debian Release: 5.0
>   APT prefers unstable
>   APT policy: (500, 'unstable'), (1, 'experimental')
> Architecture: i386 (i686)

> Kernel: Linux 2.6.26-1-openvz-686 (SMP w/1 CPU core)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash

> Versions of packages links2 depends on:
> ii  libc6                  2.7-16            GNU C Library: Shared libraries
> ii  libdirectfb-1.0-0      1.0.1-11          direct frame buffer graphics - 
> sha
> ii  libgpm2                1.20.4-3.1        General Purpose Mouse - shared 
> lib
> ii  libjpeg62              6b-14             The Independent JPEG Group's 
> JPEG 
> ii  libpng12-0             1.2.27-2          PNG library - runtime
> ii  libssl0.9.8            0.9.8g-14         SSL shared libraries
> ii  libsvga1               1:1.4.3-27        console SVGA display libraries
> ii  libtiff4               3.8.2-11          Tag Image File Format (TIFF) 
> libra
> ii  libx11-6               2:1.1.5-2         X11 client-side library
> ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

> links2 recommends no packages.

> links2 suggests no packages.

> -- no debconf information




-- 
- Are you sure we're good?
- Always.
        -- Rory and Lorelai




--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to