Bug#776073: marked as done (lynx-cur: can connect to site with expired certificate)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon, 26 Jan 2015 18:33:26 +0000
with message-id <E1YFoTW-0004UC-9T@franck.debian.org>
and subject line Bug#745835: fixed in lynx-cur 2.8.9dev4-1
has caused the Debian Bug report #745835,
regarding lynx-cur: can connect to site with expired certificate
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
745835: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745835
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: lynx-cur: can connect to site with expired certificate
• From: Vincent Lefevre <vincent@vinc17.net>
• Date: Fri, 23 Jan 2015 16:51:44 +0100
• Message-id: <[🔎] 20150123155144.GA15535@xvii.vinc17.org>

Package: lynx-cur
Version: 2.8.9dev1-2+b1
Severity: grave
Tags: security
Justification: user security hole

lynx can connect to https://www.projet-plume.org/ without any error,
though its certificate has expired.

Firefox says:

  www.projet-plume.org uses an invalid security certificate.
  The certificate expired on 2014-12-05 00:59. The current time
  is 2015-01-23 16:38.
  (Error code: sec_error_expired_certificate)

Also checked with:

  openssl s_client -CApath /etc/ssl/certs -connect www.projet-plume.org:443

which outputs:

CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN-USERFirst-Hardware
verify return:1
depth=1 C = NL, O = TERENA, CN = TERENA SSL CA
verify return:1
depth=0 C = FR, L = LABEGE CEDEX, O = CNRS, OU = MOY1678, CN = projet-plume.org
verify error:num=10:certificate has expired
notAfter=Dec  4 23:59:59 2014 GMT
verify return:1
depth=0 C = FR, L = LABEGE CEDEX, O = CNRS, OU = MOY1678, CN = projet-plume.org
notAfter=Dec  4 23:59:59 2014 GMT
verify return:1
[...]
    Verify return code: 10 (certificate has expired)
---
DONE

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages lynx-cur depends on:
ii  libbsd0            0.7.0-2
ii  libbz2-1.0         1.0.6-7+b2
ii  libc6              2.19-13
ii  libgcrypt20        1.6.2-4+b1
ii  libgnutls-deb0-28  3.3.8-5
ii  libidn11           1.29-1+b2
ii  libncursesw5       5.9+20140913-1+b1
ii  libtinfo5          5.9+20140913-1+b1
ii  zlib1g             1:1.2.8.dfsg-2+b1

Versions of packages lynx-cur recommends:
ii  mime-support  3.58

lynx-cur suggests no packages.

-- debconf information:
  lynx-cur/etc_lynx.cfg:
  lynx-cur/defaulturl: http://www.vinc17.org/

--- End Message ---

--- Begin Message ---

• To: 745835-close@bugs.debian.org
• Subject: Bug#745835: fixed in lynx-cur 2.8.9dev4-1
• From: Andreas Metzler <ametzler@debian.org>
• Date: Mon, 26 Jan 2015 18:33:26 +0000
• Message-id: <E1YFoTW-0004UC-9T@franck.debian.org>

Source: lynx-cur
Source-Version: 2.8.9dev4-1

We believe that the bug you reported is fixed in the latest version of
lynx-cur, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 745835@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Metzler <ametzler@debian.org> (supplier of updated lynx-cur package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 26 Jan 2015 18:57:50 +0100
Source: lynx-cur
Binary: lynx-cur lynx-cur-wrapper lynx
Architecture: source i386 all
Version: 2.8.9dev4-1
Distribution: experimental
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Andreas Metzler <ametzler@debian.org>
Description:
 lynx       - Text-mode WWW Browser (transitional package)
 lynx-cur   - Text-mode WWW Browser with NLS support (development version)
 lynx-cur-wrapper - Wrapper for lynx-cur (transitional package)
Closes: 745835
Changes:
 lynx-cur (2.8.9dev4-1) experimental; urgency=medium
 .
   * QA upload.
   * 21_do_not_strip_-g.diff: Build with -g. (Thanks, Simon Ruderich)
   * New upstream version:
     + Makes use of gnutls_certificate_verification_status_print
       instead of only checking a selection of verification errors.
       Closes: #745835
Checksums-Sha1:
 fa04139a2c7975a369f2f8cf97b2bb359d8b1e0d 1984 lynx-cur_2.8.9dev4-1.dsc
 51afd13325581999e26b2deb981dc0ff199a055f 2584900 lynx-cur_2.8.9dev4.orig.tar.bz2
 331d217c6f5933a45c3fa43c3004202ef36f60ac 23940 lynx-cur_2.8.9dev4-1.debian.tar.xz
 b92c76a2b297de07465bd75f348dc53ca1c10efa 1681176 lynx-cur_2.8.9dev4-1_i386.deb
 de5c8411d5bf468f65eb1c7e71e3be179d85178a 233938 lynx-cur-wrapper_2.8.9dev4-1_all.deb
 698dffa16a26a3bb409e9da713ff64ec65436cae 234342 lynx_2.8.9dev4-1_all.deb
Checksums-Sha256:
 0f5f41e442ee64060fa5975b5184da07a49fad9e57b945eabc22b4ac268df383 1984 lynx-cur_2.8.9dev4-1.dsc
 86b06175e6cf7ce3084538f638a5fc1ef02ef32a5a563c5f5241dc3ff277586f 2584900 lynx-cur_2.8.9dev4.orig.tar.bz2
 bcbb2652d81442e88c8327153f37853b45a10348c891bcdd380cc324d3faa98e 23940 lynx-cur_2.8.9dev4-1.debian.tar.xz
 7bba5811830b497a20fa95da9124f9d51b07f4f98ca03e855fb0d7569a84fa4e 1681176 lynx-cur_2.8.9dev4-1_i386.deb
 8e24eb3f4529add53c1f0368975d79e1895d3ff080a8a0d41833346f37c17d05 233938 lynx-cur-wrapper_2.8.9dev4-1_all.deb
 d2e7cb72e8dff65a53052e1d1c8e492b4cb40d99a0e9de0e2b316ba1c97f0f54 234342 lynx_2.8.9dev4-1_all.deb
Files:
 51cbfeaabcf1efb7e48262687bcf0ee1 1984 web extra lynx-cur_2.8.9dev4-1.dsc
 ac82492886913f8c9285a2f1e9f2e5aa 2584900 web extra lynx-cur_2.8.9dev4.orig.tar.bz2
 b2d521e1a12a96f1ce9af7b5602c3320 23940 web extra lynx-cur_2.8.9dev4-1.debian.tar.xz
 594077e98ba200464dde7f5aa8a6ed32 1681176 web extra lynx-cur_2.8.9dev4-1_i386.deb
 b371631ee8209f9477e543359fbb252d 233938 oldlibs extra lynx-cur-wrapper_2.8.9dev4-1_all.deb
 45884767a9c6caf187b5aa9762177694 234342 oldlibs extra lynx_2.8.9dev4-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIbBAEBCgAGBQJUxoG1AAoJEKVPAYVDghSETg0P+PcLzAMXE3IZh46n8Q26uFnK
Sz7J1eWsCJnTeILkpmb5neDnW4ky5AKWD2J+b6J2JnnoKE/3b39P59kVZ5vuenA0
0EB0Bl2/ojDVyLymEfopyx6HXje0efImn7KpABVmrgBHcqD+grrMZAwT8u0kI0pV
H3PlBI49D6Etq2xcbyzwaKDD9TkMKi+QQt3X47PlRw5A5bU3JgW+egAt749a1mEE
Ka3AaFd1NZ56Pm/SN+HvJ3MLO/Dgy9OYXux7n9TOUNKhQmtHgZV8tv08BI/82km1
JCce4KVwFLtf+gFhFYCV8nCxOElK2Jskgnyyn4ZKKEjcfdd68ZEqwhUoDeerT+6X
bAofGdjY1//BlPnjpu48R04FfBs8J0UolXohIXv6cBuugw3MDilrH9Xl0okjcnlt
XEoIt0Qu0FI+HO1yFaMv58oOCGSosQ9Hc1bUOWb7ZCsgwG8t8yJAzDKGc3LxO2X+
kArNEc2ZLsEy8jcQQ/ljdfKygfGGl9rH/7h7prwGlmOmc3Bgp37nIlt8WIYqDS6r
+hm5IjwuXx7/FX9QHhwsDtXTvt22UwQt+EzM8sXfBsOnUwrjiDlN26OwAAtCDCt5
PKNmEcnlqJ6A0WTt/KRVtKueoynbAvYBVz521MCucpNV0a6mn65q2eiatmTnRyTU
8KtUx30fZo1h0DyTuis=
=9PFa
-----END PGP SIGNATURE-----

--- End Message ---