PublicDate: 2007-09-21 20:17:00 UTC
Candidate: CVE-2007-5034
References: 
 https://bugs.launchpad.net/ubuntu/+source/elinks/+bug/141018
 http://bugzilla.elinks.cz/show_bug.cgi?id=937
 https://ubuntu.com/security/notices/USN-519-1
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5034
Description:
 ELinks before 0.11.3, when sending a POST request for an https URL, appends
 the body and content headers of the POST request to the CONNECT request in
 cleartext, which allows remote attackers to sniff sensitive data that would
 have been protected by TLS.  NOTE: this issue only occurs when a proxy is
 defined for https.
Ubuntu-Description: 
 Kalle Olavi Niemitalo discovered that if elinks makes a POST request
 to an HTTPS URL through a proxy, information may be sent in clear-text
 between elinks and the proxy. Attackers with access to the network
 could steal sensitive information (such as passwords).
Notes: 
 jdstrand> 0.11.3 and higher not vulnerable
Priority: untriaged
Discovered-by:
Assigned-to:
CVSS:

Bugs: 
upstream_elinks: released (0.11.3)
dapper_elinks: released (0.10.6-1ubuntu3.2)
edgy_elinks: released (0.11.1-1ubuntu2.2)
feisty_elinks: released (0.11.1-1.2ubuntu2.2)
devel_elinks: released (0.11.1-1.5ubuntu1)