elinks: should be removed from repository due to nasty security issue. - Shell termux-packages

elinks doesn't verify TLS certificate when connecting to https servers.

This is a nasty security issue.

The issue has been reported since 2017[1] and still no action taken to fix this serious security issue.

OpenBSD has removed elinks from their ports repository due to this issue[2].

For a better alternative that works with certificate verification, links2 is available as elinks replacement[3].

[1] http://lists.linuxfromscratch.org/pipermail/elinks-dev/2017-March/002119.html [2] https://github.com/openbsd/ports/commit/e1e17bc3804d21942b5f89fc81d703af2d5902db [3] http://links.twibright.com

Asked Mar 3 '18 at 19:44
avatar of alive4ever
alive4ever

Answers:

1

Just tested SSL with elinks - looks like some verification checks it does. Seems that this feature was added via this commit: https://github.com/xeffyr/elinks/commit/f43f5714e8815e7c3b2c1f18cd2ca8c311ce5706

screenshot_20180305-005355

Answered Mar 04 '18 at 22:58
avatar of xeffyr
xeffyr
0

There is no such commit.

If you think that you've fixed the ssl verification issue, you should upstream the patch.

Answered Mar 05 '18 at 01:09
avatar of alive4ever
alive4ever
0

There is no such commit.

There is such commit: http://repo.or.cz/elinks.git/commit/f43f5714e8815e7c3b2c1f18cd2ca8c311ce5706 , just correct your url.

Termux already uses latest git version of elinks.

Answered Mar 05 '18 at 01:35
avatar of xeffyr
xeffyr
0

@fornwall, @Grimler91, I guess this could be closed for now since git version of elinks do verification of certificates, at least it shows warning when cert is self-signed.

Answered Mar 11 '18 at 12:45
avatar of xeffyr
xeffyr