Launchpad.net

CVE 2007-5034

ELinks before 0.11.3, when sending a POST request for an https URL, appends the body and content headers of the POST request to the CONNECT request in cleartext, which allows remote attackers to sniff sensitive data that would have been protected by TLS. NOTE: this issue only occurs when a proxy is defined for https.

Related bugs and status

CVE-2007-5034 (Candidate) is related to these bugs:

Bug #141018: ELinks reveals POST data to HTTPS proxy

Summary				In	Importance	Status
	141018	ELinks reveals POST data to HTTPS proxy		elinks (Ubuntu)	Medium	Fix Released

Bug #144883: [Merge] elinks 0.11.1-1.5ubuntu1

Summary				In	Importance	Status
	144883	[Merge] elinks 0.11.1-1.5ubuntu1		elinks (Ubuntu)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

References

CONFIRM: http://bugzilla.elinks...
CONFIRM: https://bugs.launchpad...
CONFIRM: https://bugzilla.redha...
FEDORA: FEDORA-2007-2224
SECUNIA: 26936
SECUNIA: 26956
UBUNTU: USN-519-1
BID: 25799
SECUNIA: 26949
DEBIAN: DSA-1380
REDHAT: RHSA-2007:0933
SECTRACK: 1018764
SECUNIA: 27062
SECUNIA: 27125
FEDORA: FEDORA-2007-710
SECUNIA: 27132
SECUNIA: 27038
VUPEN: ADV-2007-3278
OVAL: oval:org.mitre.oval:de...
BUGTRAQ: 20071005 rPSA-2007-020...