441906 – (CVE-2012-5821) <www-client/lynx-2.8.8_rc1: Does not verify that the server's certificate is signed by a trusted certification authority (CVE-2012-5821)

Bug 441906 (CVE-2012-5821) - <www-client/lynx-2.8.8_rc1: Does not verify that the server's certificate is signed by a trusted certification authority (CVE-2012-5821)

Summary: <www-client/lynx-2.8.8_rc1: Does not verify that the server's certificate is ...

Status:	RESOLVED FIXED

Alias:	CVE-2012-5821

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2012-11-05 17:40 UTC by Agostino Sarubbo
Modified:	2014-03-06 04:07 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2012-11-05 17:40:45 UTC

From https://bugzilla.redhat.com/show_bug.cgi?id=873262 :

Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5821 to the following 
vulnerability:

Lynx does not verify that the server's certificate is signed by a trusted certification authority, 
which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate, related to 
improper use of a certain GnuTLS function.

References:
[1] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
[2] https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
[3] http://www.sigsac.org/ccs/CCS2012/techprogram.shtml

Comment 1 GLSAMaker/CVETool Bot gentoo-dev

2012-11-07 23:31:59 UTC

CVE-2012-5821 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5821):
  Lynx does not verify that the server's certificate is signed by a trusted
  certification authority, which allows man-in-the-middle attackers to spoof
  SSL servers via a crafted certificate, related to improper use of a certain
  GnuTLS function.

Comment 2 Chris Reffett (RETIRED) gentoo-dev

2013-12-22 18:54:40 UTC

Arches, please stabilize:
=www-client/lynx-2.8.8_rc1
Target arches: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

Comment 3 Jeroen Roovers (RETIRED) gentoo-dev

2013-12-22 19:21:14 UTC

Stable for HPPA.

Comment 4 Pacho Ramos gentoo-dev

2013-12-22 19:22:03 UTC

amd64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2013-12-23 11:25:08 UTC

ppc stable

Comment 6 Agostino Sarubbo gentoo-dev

2013-12-23 12:03:38 UTC

ppc64 stable

Comment 7 Agostino Sarubbo gentoo-dev

2013-12-23 14:26:01 UTC

alpha stable

Comment 8 Agostino Sarubbo gentoo-dev

2013-12-23 14:48:48 UTC

x86 stable

Comment 9 Agostino Sarubbo gentoo-dev

2013-12-23 14:53:00 UTC

sparc stable

Comment 10 Agostino Sarubbo gentoo-dev

2014-01-05 09:10:28 UTC

arm stable

Comment 11 Agostino Sarubbo gentoo-dev

2014-01-12 13:18:10 UTC

ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 12 Chris Reffett (RETIRED) gentoo-dev

2014-01-12 13:57:43 UTC

GLSA vote: no

Comment 13 Sergey Popov gentoo-dev

2014-01-20 14:29:00 UTC

GLSA vote: no

Waiting for cleanup

Comment 14 Tim Harder gentoo-dev

2014-03-06 03:41:33 UTC

(In reply to Sergey Popov from comment #13)
> Waiting for cleanup

Done.

Comment 15 Yury German Gentoo Infrastructure

2014-03-06 04:07:31 UTC

Maintainer(s), Thank you for cleanup!