Neil Moore
2009-Jan-01 16:57 UTC
[Secure-testing-team] Bug#510417: links2: silently accepts bad SSL certificates
Package: links2 Version: 2.2-1 Severity: grave Tags: security Justification: user security hole Links2 does not validate certificates it receives; as a result, there is no warning that one is visiting a page with an expired certificate, a certificate not signed by a trusted authority, or a certificate for the wrong hostname. As a result, an attacker capable of intercepting one''s packets can launch a man-in-the-middle attack to obtain account numbers, passwords, etc. At the very least, the documentation should prominently warn that links2''s HTTPS support is not to be relied upon for sensitive information. This is the same issue reported in bug 510348 for the (unrelated) browser ''dillo''. -- System Information: Debian Release: 5.0 APT prefers unstable APT policy: (500, ''unstable''), (1, ''experimental'') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-openvz-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages links2 depends on: ii libc6 2.7-16 GNU C Library: Shared libraries ii libdirectfb-1.0-0 1.0.1-11 direct frame buffer graphics - sha ii libgpm2 1.20.4-3.1 General Purpose Mouse - shared lib ii libjpeg62 6b-14 The Independent JPEG Group''s JPEG ii libpng12-0 1.2.27-2 PNG library - runtime ii libssl0.9.8 0.9.8g-14 SSL shared libraries ii libsvga1 1:1.4.3-27 console SVGA display libraries ii libtiff4 3.8.2-11 Tag Image File Format (TIFF) libra ii libx11-6 2:1.1.5-2 X11 client-side library ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime links2 recommends no packages. links2 suggests no packages. -- no debconf information