Following problem was reported to elinks bugzilla [1]: If ELinks is making a POST request to an https URL, and a proxy has been defined for https, ELinks takes the body and Content-* headers of the POST request and adds them to the CONNECT request in cleartext. So the proxy can now snoop all the data that was supposed to be hidden by TLS, as can anyone between ELinks and the proxy. Apparently some proxies also entirely refuse such requests. [1] http://bugzilla.elinks.cz/show_bug.cgi?id=937 Fixed in 0.11.3, upstream bugzilla contains references to GIT commits in various branches.
Support for HTTPS proxy was introduced in elinks version 0.5rc1. Version of elinks as shipped in Red Hat Enterprise Linux 3 is therefore not vulnerable. Also links as shipped in Red Hat Enterprise Linux 2.1 does not provide HTTPS proxy support and is not affected by this problem.
Ok, so it seems to be that affected supported versions are FC-6, F-7, RHEL4 and RHEL5 - because devel contains 0.11.3 version. I will update versions for Fedora, because it is the easiest way, for RHEL4 and RHEL5 we should discuss the way how to proceed.
Thanks Ondrej for feedback. Created tracking bugs for current Fedora versions.
Created attachment 204441 [details] 0.10.6 upstream patch
Created attachment 204461 [details] Upstream patch for 0.11.1
Fixed in all affected products: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2007-0933.html Fedora updated to fixed upstream version