Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#13672 closed enhancement (fixed)


Reported by: ken@… Owned by: ken@…
Priority: high Milestone: 10.0
Component: BOOK Version: SVN
Severity: normal Keywords:


This is an important security release fixing two issues.

The first is a possible IMAP man-in-the-middle attack. No credentials are exposed, but could result in unintended emails being "saved" to an attacker's server. The $ssl_starttls quadoption is now used to check for an unencrypted PREAUTH response from the server.

Thanks very much to Damian Poddebniak and Fabian Ising from the Münster University of Applied Sciences for reporting this issue, and their help in testing the fix.

The second fix is for a problem with GnuTLS certificate prompting. "Rejecting" an expired intermediate cert did not terminate the connection. Thanks to @henk on IRC for reporting the issue.

Change History (9)

comment:1 by ken@…, 2 years ago

Owner: changed from blfs-book to ken@…
Status: newassigned

comment:2 by ken@…, 2 years ago

manual.txt is no-longer shipped, apparently it is expected to be regenerated during the build.

But configure errors:

checking whether it is safe to define __EXTENSIONS__... yes
checking build system type... Invalid configuration `time': machine `time' not recognized
configure: error: /bin/sh ./config.sub time failed

comment:3 by ken@…, 2 years ago

It gets worse: I get the same error on my server (LFS-9.1) with 1.14.3 but also with 1.14.2. And 1.14.2 was the last thing I installed on the server. :-(

comment:4 by ken@…, 2 years ago

/me swears loudly and extendedly.

I'd typed the configure command without prefixing it with 'time ', then somehow managed to put that in the middle of the command.

I don't like Mondays.

comment:5 by ken@…, 2 years ago

with my dependencies, manual.txt does NOT get regenerated. it is still installed as empty

Looks as if libxslt and links need to be recommended.

comment:6 by ken@…, 2 years ago

In fact, with the reconfiguration libxslt is not used. Either links or w3m or elinks.

Actually, links could replace elinks, the command needs to not-only replace elinks by links, but also drop the '-no-numbering -no-referencing switches which links does not understand. The difference from using lynx is that lynx produces text intended to be used in less with a lot of overtyped characters for bold text, whereas the modified links invocation is plain text without highlighting.

Hmm, the lynx command uses --with-backspaces (the w3m command has no equivalent witches), omitting that produces plain text output. I'll think about how to fix this up so that lynx or links can be used to produce plain text.

comment:7 by ken@…, 2 years ago

Resolution: fixed
Status: assignedclosed

comment:8 by Bruce Dubbs, 2 years ago

Milestone: 9.210,0

Milestone renamed

comment:9 by Bruce Dubbs, 2 years ago

Milestone: 10,010.0

Milestone renamed

Note: See TracTickets for help on using tickets.