Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 253847 - <www-client/links-2.3_pre1-r1: SSL Verification Security Issue
Summary: <www-client/links-2.3_pre1-r1: SSL Verification Security Issue
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa]
Depends on:
Reported: 2009-01-05 13:02 UTC by Bruno Buss
Modified: 2012-06-25 19:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Bruno Buss 2009-01-05 13:02:20 UTC
"A security issue has been discovered in Links, which can be exploited by malicious people to conduct spoofing attacks.

The problem is that the certificate presented by a server at the beginning of an SSL session is not verified. This can be exploited to spoof valid servers via a man-in-the-middle attack.

The security issue is confirmed in version 2.2. Other versions may also be affected."
Comment 1 SpanKY gentoo-dev 2011-02-20 18:29:48 UTC
ive added the fix that Debian has to 2.3_pre1-r1 and so that version can be stabilized i think
Comment 2 Agostino Sarubbo gentoo-dev 2011-02-21 09:53:52 UTC
works for me on amd64
Comment 3 Markos Chandras (RETIRED) gentoo-dev 2011-02-21 18:25:05 UTC
amd64 done
Comment 4 Andreas Schürch gentoo-dev 2011-02-22 06:25:56 UTC
Seems also good to go on x86 here.
Comment 5 Alex Buell 2011-02-22 21:07:04 UTC
Tested OK on SPARC, stabilisation would be good. 
Comment 6 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-02-23 12:41:10 UTC
ppc/ppc64 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2011-02-24 18:19:47 UTC
Stable for HPPA.
Comment 8 Thomas Kahle (RETIRED) gentoo-dev 2011-02-24 21:12:42 UTC
x86 done. Thanks Andreas!
Comment 9 Michael Weber (RETIRED) gentoo-dev 2011-02-25 23:08:47 UTC
sparc done, thanks Alex Buell
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2011-02-26 17:28:45 UTC
alpha/arm/ia64/s390/sh stable
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-02-26 19:44:39 UTC
Thanks, folks.

GLSA Vote: yes
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2011-02-28 22:25:15 UTC
Yes, too. GLSA request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-06-25 19:11:22 UTC
This issue was resolved and addressed in
 GLSA 201206-32 at
by GLSA coordinator Stefan Behte (craig).