873262 – (CVE-2012-5821) CVE-2012-5821 lynx: Does not verify that the server's certificate is signed by a trusted certification authority

Bug 873262 (CVE-2012-5821) - CVE-2012-5821 lynx: Does not verify that the server's certificate is signed by a trusted certification authority

Summary: CVE-2012-5821 lynx: Does not verify that the server's certificate is signed b...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2012-5821
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	873278
Blocks:	873282
TreeView+	depends on / blocked

Reported:	2012-11-05 13:24 UTC by Jan Lieskovsky
Modified:	2021-02-17 08:27 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-11-06 16:13:02 UTC
Embargoed:

Attachments	(Terms of Use)

Description Jan Lieskovsky 2012-11-05 13:24:28 UTC

Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5821 to the following vulnerability:

Lynx does not verify that the server's certificate is signed by a trusted certification authority, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate, related to improper use of a certain GnuTLS function.

References:
[1] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
[2] https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
[3] http://www.sigsac.org/ccs/CCS2012/techprogram.shtml

Comment 1 Jan Lieskovsky 2012-11-05 13:44:53 UTC

Created lynx tracking bugs for this issue

Affects: fedora-all [bug 873278]

Comment 2 Kamil Dudka 2012-11-05 13:58:07 UTC

We build lynx against OpenSSL, not GnuTLS.  So this CVE does not apply, does it?

Comment 3 Jan Lieskovsky 2012-11-05 14:45:23 UTC

(In reply to comment #2)
> We build lynx against OpenSSL, not GnuTLS.  So this CVE does not apply, does
> it?

In all supported versions? (me didn't check)

Comment 4 Kamil Dudka 2012-11-05 15:44:36 UTC

Yes, lynx was built against OpenSSL in RHEL-3 already.

Comment 5 Jan Lieskovsky 2012-11-06 16:09:27 UTC

This issue did not affect the versions of the lynx package, as shipped with Red Hat Enterprise Linux 5 and 6.

--

This issue did not affect the versions of the lynx package, as shipped with Fedora release of 16 and 17.

Comment 6 Jan Lieskovsky 2012-11-06 16:13:02 UTC

Statement:

Not vulnerable. This issue did not affect the versions of lynx as shipped with Red Hat Enterprise Linux 5 and 6 as they were not build against GnuTLS.

Note You need to log in before you can comment on or make changes to this bug.