Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5821 to the following vulnerability: Lynx does not verify that the server's certificate is signed by a trusted certification authority, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate, related to improper use of a certain GnuTLS function. References: [1] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf [2] https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html [3] http://www.sigsac.org/ccs/CCS2012/techprogram.shtml
Created lynx tracking bugs for this issue Affects: fedora-all [bug 873278]
We build lynx against OpenSSL, not GnuTLS. So this CVE does not apply, does it?
(In reply to comment #2) > We build lynx against OpenSSL, not GnuTLS. So this CVE does not apply, does > it? In all supported versions? (me didn't check)
Yes, lynx was built against OpenSSL in RHEL-3 already.
This issue did not affect the versions of the lynx package, as shipped with Red Hat Enterprise Linux 5 and 6. -- This issue did not affect the versions of the lynx package, as shipped with Fedora release of 16 and 17.
Statement: Not vulnerable. This issue did not affect the versions of lynx as shipped with Red Hat Enterprise Linux 5 and 6 as they were not build against GnuTLS.