Bug#752610: marked as done (lynx: Can connect to CVE-2014-0092 test site)

To: dickey@his.com
Subject: Bug#752610: marked as done (lynx: Can connect to CVE-2014-0092 test site)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sat, 31 Jan 2015 15:51:12 +0000
Message-id: <[🔎] handler.752610.D752610.142271937215229.ackdone@bugs.debian.org>
References: <[🔎] 20150131154924.GA9960@aerie.jexium-island.net> <20140625070325.GA11124@roeckx.be>

Your message dated Sat, 31 Jan 2015 10:49:24 -0500
with message-id <[🔎] 20150131154924.GA9960@aerie.jexium-island.net>
and subject line re: #752610 lynx: Can connect to CVE-2014-0092 test site
has caused the Debian Bug report #752610,
regarding lynx: Can connect to CVE-2014-0092 test site
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
752610: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752610
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: lynx: Can connect to CVE-2014-1959 test site
From: Kurt Roeckx <kurt@roeckx.be>
Date: Wed, 25 Jun 2014 09:03:25 +0200
Message-id: <20140625070325.GA11124@roeckx.be>

Package: lynx-cur, libgnutls26
Severity: serious
Tags: security

Hi,

There is a test site for checking the gnutls bug:
https://gnutls.notary.icsi.berkeley.edu/

I can connect to it and get the message:
   If you see this without getting a certificate error you are
   vulnerable against the GnuTLS bug

I can reproduce this with the following combinations:
stable:
ii  libgnutls26:amd64  2.12.20-8+deb7u2
ii  lynx-cur           2.8.8dev.12-2

And testing:
ii  libgnutls26:amd64  2.12.23-16
ii  lynx-cur           2.8.8pre5-1


Using gnutls-bin gnutls-bin 3.0.22-3+really2.12.20-8+deb7u2 I also
get:
$ gnutls-cli -p 443 gnutls.notary.icsi.berkeley.edu --x509cafile /etc/ssl/certs/ca-certificates.crt
Processed 159 CA certificate(s).
Resolving 'gnutls.notary.icsi.berkeley.edu'...
Connecting to '192.150.187.13:443'...
*** Verifying server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.

While with 3.3.2-2 I get:
$ gnutls-cli -p 443 gnutls.notary.icsi.berkeley.edu --x509cafile /etc/ssl/certs/ca-certificates.crt
Processed 168 CA certificate(s).
Resolving 'gnutls.notary.icsi.berkeley.edu'...
Connecting to '192.150.187.13:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `CN=gnutls.notary.icsi.berkeley.edu,OU=ICSI GnuTLS Crt,O=ICSI GnuTLS Test Cert.', issuer `C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure Certification Authority,serialNumber=07969287', RSA key 2048 bits, signed using RSA-SHA1, activated `2010-08-28 14:51:35 UTC', expires `2015-08-28 14:51:35 UTC', SHA-1 fingerprint `b20c942cd0dd72cd5a02b697ba6862064727f3d9'
        Public Key ID:
                c9952718d6b2c42cd432b9d8c0f0730ab3286c9d
        Public key's random art:
                +--[ RSA 2048]----+
                |  .o ..=o.       |
                |   .o =.*o..     |
                |  o o+.*.o+ .    |
                |...+o+o..o o     |
                |oo.E.   S        |
                |o                |
                |                 |
                |                 |
                |                 |
                +-----------------+

- Certificate[1] info:
 - subject `C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure Certification Authority,serialNumber=07969287', issuer `C=US,O=The Go Daddy Group\, Inc.,OU=Go Daddy Class 2 Certification Authority', RSA key 2048 bits, signed using RSA-SHA1, activated `2006-11-16 01:54:37 UTC', expires `2026-11-16 01:54:37 UTC', SHA-1 fingerprint `7c4656c3061f7f4c0d67b319a855f60ebc11fc44'
- Status: The certificate is NOT trusted. The certificate issuer is not a CA.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.


The 3.3.2-2 version is linked to libgnutls28 of course.


Kurt

--- End Message ---

--- Begin Message ---

To: 752610@bugs.debian.org

Cc: 752610-done@bugs.debian.org

Subject: re: #752610 lynx: Can connect to CVE-2014-0092 test site

From: Thomas Dickey <dickey@his.com>

Date: Sat, 31 Jan 2015 10:49:24 -0500

Message-id: <[🔎] 20150131154924.GA9960@aerie.jexium-island.net>

Reply-to: dickey@his.com
The report/discussion appears to be the same as #745835, and I merged them
for that reason.  The original report is unreproducible, because the test
site is gone.  closing.

-- 
Thomas E. Dickey <dickey@invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net
Attachment: signature.asc
Description: Digital signature

--- End Message ---

Reply to:

References:
- Bug#752610: #752610 lynx: Can connect to CVE-2014-0092 test site
  - From: Thomas Dickey <dickey@his.com>

Prev by Date: airport-utils_2-4_amd64.changes ACCEPTED into experimental
Next by Date: Bug#752610: #752610 lynx: Can connect to CVE-2014-0092 test site
Previous by thread: Bug#752610: #752610 lynx: Can connect to CVE-2014-0092 test site
Index(es):
- Date
- Thread