elinks: should be removed from repository due to nasty security issue. - Shell termux-packages

elinks doesn't verify TLS certificate when connecting to https servers.

This is a nasty security issue.

The issue has been reported since 2017[1] and still no action taken to fix this serious security issue.

OpenBSD has removed elinks from their ports repository due to this issue[2].

For a better alternative that works with certificate verification, links2 is available as elinks replacement[3].

[1] http://lists.linuxfromscratch.org/pipermail/elinks-dev/2017-March/002119.html [2] https://github.com/openbsd/ports/commit/e1e17bc3804d21942b5f89fc81d703af2d5902db [3] http://links.twibright.com

Asked Oct 19 '21 17:10
avatar alive4ever
alive4ever

4 Answer:

Just tested SSL with elinks - looks like some verification checks it does. Seems that this feature was added via this commit: https://github.com/xeffyr/elinks/commit/f43f5714e8815e7c3b2c1f18cd2ca8c311ce5706

screenshot_20180305-005355

1
Answered Mar 04 '18 at 22:58
avatar  of xeffyr
xeffyr

There is no such commit.

If you think that you've fixed the ssl verification issue, you should upstream the patch.

1
Answered Mar 05 '18 at 01:09
avatar  of alive4ever
alive4ever

There is no such commit.

There is such commit: http://repo.or.cz/elinks.git/commit/f43f5714e8815e7c3b2c1f18cd2ca8c311ce5706 , just correct your url.

Termux already uses latest git version of elinks.

1
Answered Mar 05 '18 at 01:35
avatar  of xeffyr
xeffyr

@fornwall, @Grimler91, I guess this could be closed for now since git version of elinks do verification of certificates, at least it shows warning when cert is self-signed.

1
Answered Mar 11 '18 at 12:45
avatar  of xeffyr
xeffyr