Control: reassign -1 elinks 0.12~pre5-9 Here's the result of my investigation of this bug in the context of CVE-2012-6709.
I tested the following domains: * https://wrong.host.badssl.com/ * https://self-signed.badssl.com/ * https://untrusted-root.badssl.com/ Obviously, there are many more possible problems with certificate checking, but the "dashboard" page on the badssl.com requires javascript so it doesn't work in the browsers we're interested in here. In both Debian stretch and Debian wheezy, links2 (and lynx and w3m, for what it's worth) correctly warns about those three sites being incorrectly verified. elinks, however, fails to fail and loads all three sites without warning so there's a security issue there. So i've reassigned this bug to the elinks package and will triage the CVE correctly in the security tracker.
signature.asc
Description: PGP signature
