http://bugzilla.opensuse.org/show_bug.cgi?id=1082814 Bug ID: 1082814 Summary: VUL-0: CVE-2012-6709 elinks: Does not properly verify SSL certificates Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: Other URL: https://smash.suse.de/issue/200756/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: puzel@suse.com Reporter: jsegitz@suse.com QA Contact: security-team@suse.de Found By: Security Response Team Blocker: ---

From Vincent Danen

A Debian bug report [1] indicated that Links does not properly verify SSL certificates. If you visit a web site with an expired SSL certificate, Links will only display "SSL error" without any indication as to what the error was. This, in and of itself, is not a flaw however when testing, I found that when you go to a site with a valid SSL certificate, but for a different hostname (for example, if you go to https://alias.foo.com which might be a CNAME or a proxy for https://foo.com) Links will connect without any errors or warnings. Doing the same in a browser like Google Chrome, however, reports "You attempted to reach alias.foo.com, but instead you actually reached a server identifying itself as foo.com." and allows you to either proceed or not, before loading the site. elinks https://wrong.host.badssl.com/ opens without warning References: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694658 https://bugzilla.redhat.com/show_bug.cgi?id=881399 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6709 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694658 -- You are receiving this mail because: You are on the CC list for the bug.