Package: elinks
Version: 0.12~pre6-4
Tags: security
elinks doesn't verify that the server hostname matches a domain name in
the subject's Common Name or subjectAltName field of the certificate.
Steps to reproduce:
1) Add fake host to /etc/hosts:
5.153.231.4 www.debian.moo
2) Enable certificate validation:
Setup > Options manager > Connections > SSL > Verify certificates
3) Visit https://www.debian.moo/. The browser happily displays the page,
even though the certificate is valid only for "debian.org" and
"www.debian.org" domains.
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.12-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages elinks depends on:
ii elinks-data 0.12~pre6-4
ii libbz2-1.0 1.0.6-5
ii libc6 2.18-4
ii libcomerr2 1.42.9-3
ii libexpat1 2.1.0-4
ii libfsplib0 0.11-2
ii libgnutls26 2.12.23-13
ii libgpm2 1.20.4-6.1
ii libgssapi-krb5-2 1.12+dfsg-2
ii libidn11 1.28-1
ii libk5crypto3 1.12+dfsg-2
ii libkrb5-3 1.12+dfsg-2
ii libperl5.18 5.18.2-2+b1
ii libtre5 0.8.0-3
ii zlib1g 1:1.2.8.dfsg-1
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
