Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 694016 - <www-client/links-2.20.2: DNS requests potentially sent outside Tor network even when Links connected to Tor
Summary: <www-client/links-2.20.2: DNS requests potentially sent outside Tor network e...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa]
Keywords:
: 705328 (view as bug list)
Depends on:
Blocks:
 
Reported: 2019-09-11 05:37 UTC by Arfrever Frehtes Taifersar Arahesis
Modified: 2020-03-25 19:07 UTC (History)
3 users (show)

See Also:
Package list:
www-client/links-2.20.2
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arfrever Frehtes Taifersar Arahesis 2019-09-11 05:37:30 UTC 
www-client/links-2.19 was released on 2019-04-04.
www-client/links-2.20 was released on 2019-08-28.
www-client/links-2.20.1 was released on 2019-09-04.

ChangeLog: http://links.twibright.com/download/ChangeLog

One of entries for release 2.20:
"""
Mon Aug 26 18:21:43 CEST 2019 mikulas:

	Security bug fixed: when links was connected to tor, it would send real
	dns requests outside the tor network when the displayed page contains
	<link rel="dns-prefetch" href="http://host.domain/">.

	This bug is present in links-2.15 to links-2.19.

	Found by Shi Tian <shitian@cock.li>
"""
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-26 21:16:02 UTC 
@ maintainer(s): Please bump to >=2.20!
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2020-01-13 05:13:58 UTC 
*** Bug 705328 has been marked as a duplicate of this bug. ***
Comment 3 Larry the Git Cow gentoo-dev 2020-02-17 19:24:02 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7a3f6c8c3ef3cd7063a02908dbe96faf89612d3

commit c7a3f6c8c3ef3cd7063a02908dbe96faf89612d3
Author:     Ben Kohler <bkohler@gentoo.org>
AuthorDate: 2020-02-17 19:23:02 +0000
Commit:     Ben Kohler <bkohler@gentoo.org>
CommitDate: 2020-02-17 19:23:50 +0000

    www-client/links: bump to 2.20.2
    
    Add a few new flags for optional deps
    
    Closes: https://bugs.gentoo.org/657996
    Bug: https://bugs.gentoo.org/694016
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Ben Kohler <bkohler@gentoo.org>

 www-client/links/Manifest            |   1 +
 www-client/links/links-2.20.2.ebuild | 170 +++++++++++++++++++++++++++++++++++
 www-client/links/metadata.xml        |   7 ++
 3 files changed, 178 insertions(+)
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-19 04:07:14 UTC 
@maintainer(s), please advise if ready for stabilisation, or call for it yourself
Comment 5 Agostino Sarubbo gentoo-dev 2020-03-21 16:19:27 UTC 
s390 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-03-21 16:28:07 UTC 
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-03-21 16:47:34 UTC 
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-03-22 10:31:53 UTC 
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-03-22 10:33:26 UTC 
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-03-22 10:37:49 UTC 
x86 stable
Comment 11 Mart Raudsepp gentoo-dev 2020-03-22 13:01:21 UTC 
arm64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2020-03-22 14:06:33 UTC 
ia64 stable
Comment 13 Rolf Eike Beer archtester 2020-03-23 21:19:42 UTC 
hppa stable
Comment 14 Agostino Sarubbo gentoo-dev 2020-03-25 08:12:50 UTC 
arm stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 15 Larry the Git Cow gentoo-dev 2020-03-25 09:13:17 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=998fa01bec870ac488e278245481542d9375a94d

commit 998fa01bec870ac488e278245481542d9375a94d
Author:     Patrice Clement <monsieurp@gentoo.org>
AuthorDate: 2020-03-25 09:11:42 +0000
Commit:     Patrice Clement <monsieurp@gentoo.org>
CommitDate: 2020-03-25 09:12:56 +0000

    www-client/links: clean up vulnerable versions.
    
    Bug: https://bugs.gentoo.org/694016
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Patrice Clement <monsieurp@gentoo.org>

 www-client/links/Manifest             |   4 -
 www-client/links/links-2.14-r1.ebuild | 152 ----------------------------------
 www-client/links/links-2.16.ebuild    | 152 ----------------------------------
 www-client/links/links-2.17.ebuild    | 152 ----------------------------------
 www-client/links/links-2.18.ebuild    | 152 ----------------------------------
 5 files changed, 612 deletions(-)
Comment 16 Patrice Clement gentoo-dev 2020-03-25 09:14:59 UTC 
(In reply to Agostino Sarubbo from comment #14)
> Maintainer(s), please cleanup.

Done.
Comment 17 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-25 19:07:51 UTC 
GLSA Vote: No

Repository is clean, all done!