Bug ID 1082814
Summary VUL-0: CVE-2012-6709 elinks: Does not properly verify SSL certificates
Classification openSUSE
Product openSUSE Distribution
Version Leap 42.3
Hardware Other
URL https://smash.suse.de/issue/200756/
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee puzel@suse.com
Reporter jsegitz@suse.com
QA Contact security-team@suse.de
Found By Security Response Team
Blocker --- 

From Vincent Danen

A Debian bug report [1] indicated that Links does not properly verify SSL
certificates.  If you visit a web site with an expired SSL certificate, Links
will only display "SSL error" without any indication as to what the error was. 
This, in and of itself, is not a flaw however when testing, I found that when
you go to a site with a valid SSL certificate, but for a different hostname
(for example, if you go to https://alias.foo.com which might be a CNAME or a
proxy for https://foo.com) Links will connect without any errors or warnings. 
Doing the same in a browser like Google Chrome, however, reports "You attempted
to reach alias.foo.com, but instead you actually reached a server identifying
itself as foo.com." and allows you to either proceed or not, before loading the
site.

elinks https://wrong.host.badssl.com/
opens without warning

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694658
https://bugzilla.redhat.com/show_bug.cgi?id=881399
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6709
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694658

You are receiving this mail because: