openSUSE Recommended Update: Recommended update for links ______________________________________________________________________________ Announcement ID: openSUSE-RU-2017:1673-1 Rating: moderate References: #1022468 #1022469 #946065 #992495 Affected Products: openSUSE Leap 42.2 ______________________________________________________________________________ An update that has four recommended fixes can now be installed. Description: This update for links fixes the following security and non-security issues: Links was updated to version 2.14: * Limit keepalive of ciphers with 64-bit block size to mitigate the SWEET32 attack boo#1022469 * Report home directory in the "Version" window * Improved tor hardening * Use keys 'P' and 'L' to scroll up and down * Fix a memory leak when copying the current url to clipboard * Fix crash when the user pressed Ctrl-G on a form field * Workaround for a bug in librsvg that makes mathematics on Wikipedia unreadable * Support fourth and fifth mouse button in gpm and framebuffer * Fixed bugs when downgrading SSL connection while https proxy or socks proxy is used * Security bug fixed: Do not load or render the content of "407 Proxy Authentication Required" reply when using https proxy. This avoids the FalseCONNECT attack. boo#1022468 Also, don't allow 401 and 407 responses to set cookies. * Pop openssl error stack on every error - make sure that SSL errors on one connection do not affect other connections * Never select directfb driver automatically unless started with the '-driver directfb' option previously patched: * Disable SSL compression to avoid the CRIME attack boo#1022469 drop links-nosslcomp.patch Links was updated to version 2.13: * Page up and page down scroll slightly less than a page * Use domain list from publicsuffix.org to prevent setting cookies on public domains. * Fix bug that allowed bla.com to register cookie for la.com or a.com * Fixed a bug in the X driver that characters with unicode codes 128-255 could not be entered with some locales * Security bug fixed: Use separate unix domain socket for anonymous instances, so that the anonymous instance won't connect to non-anonymous one [boo#992495] * <samp> element * In case of certification verification failure, don't pop up multiple dialog windows asking for the same server * Do not lookup .onion addresses directly, as specified by rfc7686 * Updated Polish Translation * Security enhancement: Warn if the SSL/TLS method was downgraded Links was updated to version 2.12: * Verify ssl certificates boo#946065 * Warn if server uses SSL2 or SSL3 protocol * Support SSL client certificates Links was updated to version 2.10: * SVG support using the rsvg library * Attach to existing links instance instead of creating a new instance * Detect image type based on the first few bytes rather than on content-type * Use OpenMP in the image scaler * Preallocate downloaded files on Linux * Support libevent and libev * SSL SNI now enabled upstream * Support keepalive on https connections Links was updated to 2.9: * Work around some screen-corruption bugs in the OpenVMS terminal driver * Support mouse wheel in framebuffer (unfortunatelly we can't support it in text mode because when we instruct gpm to send us the wheel event, gpm stops drawing the cursor when the mouse is moved). * Print "^" and "_" for <sub> and <sup> tags in text mode * An option to fake Firefox in the HTTP header. It modifies User-Agent and several other options to be more Firefox-like. This option is also automatically turned on when "Connect only via proxies or Socks (useful for tor)" is selected. It makes it safer to use Links with tor. * Fixed quadratic complexity in the text renderer when exteremely long lines were used * Do not print the character 0x9b if the display character set doesn't have it, because it is interpreted as a control character on the Linux console * An option to break long lines in <pre> sections * Consume less memory when 8-bit gamma correction is used * Updated the list of top level domains * Use malloc_trim to return unused memory to the system * Support RFC5987 for filenames * Support StaticColor in the X-window driver * Fix crash on OS/2 if image is wider than 10921 pixels * Use clock_gettime if available * The ability to set screen margins for text mode and framebuffer * Fix palette corruption on framebuffer when links instance was terminated while it was not active * Improve the gif decoder to accept more images * Increase the amount of data read from the socket, it improves speed when loading big images * Accept "text/xml" as html type Patch Instructions: To install this openSUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.2: zypper in -t patch openSUSE-2017-732=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.2 (i586 x86_64): links-2.14-5.3.1 links-debuginfo-2.14-5.3.1 links-debugsource-2.14-5.3.1 References: https://bugzilla.suse.com/1022468 https://bugzilla.suse.com/1022469 https://bugzilla.suse.com/946065 https://bugzilla.suse.com/992495