Adeodato Simó writes: > * Neil Moore [Thu, 01 Jan 2009 11:57:35 -0500]: > > > Package: links2 > > Version: 2.2-1 > > Severity: grave > > Tags: security > > Justification: user security hole > > Hello, Neil. I’m sorry I’m not mailing you to help solve this bug, since > I’m not the maintainer of links2. > > I do release management in Debian, and I’m interested in knowing whether > this bug affects 2.1pre37-1.1, which is currently in stable (and testing). > Do you know if that is the case? Could you perhaps check?
The bug is present in 2.1pre37-1.1, as well as in 2.1pre26-4 (the version in oldstable). The site I am using to test is internal, and will soon have a real certificate, hence my reluctance to post its URL. One can test for at least part of the problem with: https://i.broke.the.internet.and.all.i.got.was.this.t-shirt.phreedom.org/ (the URL from the dillo bug #510348). This site has an (intentionally) expired certificate, and is signed with a fake (collided) MD5-hashed CA cert, though it does have a correct hostname. Depending on the version of OpenSSL and the CA certs list, it should report either an expired cert or a bad signature. Hope this helps, -- Neil Moore, n...@s-z.org, http://s-z.org/neil/ -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
