Bug 19714

Summary: lynx new security issue CVE-2016-9179
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: brtians1, davidwhodgins, mageia, marja11, nicolas.salguero, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Vulnerabilities/714582/
Whiteboard: mga5-32-ok advisory MGA5-64-OK
Source RPM: lynx-2.8.8-1.rel2.5.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-11-04 15:23:41 CET 
A CVE has been assigned for a security issue in lynx:
http://openwall.com/lists/oss-security/2016/11/04/1

No fix is available yet, but the upstream author said that he would work on it.

Mageia 5 is also affected.
David Walser 2016-11-04 15:23:47 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2016-11-04 23:46:35 CET 
Already assigning to all packagers collectively. (There is no registered maintainer for this package.)

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Lécureuil 2016-11-16 17:56:10 CET 
how to test this ?

CC: (none) => mageia

Comment 3 Nicolas Lécureuil 2016-11-16 17:58:20 CET 
ok fixed in : http://lynx.invisible-island.net/current/CHANGES.html#index-v2.8.9dev.10
Comment 4 Nicolas Lécureuil 2016-11-16 18:00:18 CET 
but i don't find where the code is hosted
Comment 5 David Walser 2017-02-15 01:14:21 CET 
Fedora has issued an advisory for this today (February 14):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FUXKJDF62YGEI7SVFFUYQ56QCKESXF3W/

Hopefully we can find a patch for this so we don't have to get back on the development release train.
David Walser 2017-02-15 19:27:27 CET

URL: (none) => https://lwn.net/Vulnerabilities/714582/

Comment 6 Nicolas Salguero 2017-02-17 11:31:17 CET 
Suggested advisory:
========================

The updated package fix a security vulnerability:

Lynx doesn't parse the authority component of the URL correctly when the host name part ends with '?', and could instead be tricked into connecting to a different host. (CVE-2016-9179)

References:
http://openwall.com/lists/oss-security/2016/11/04/1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9179
========================

Updated packages in core/updates_testing:
========================
lynx-2.8.8-1.rel2.3.1.mga5

from SRPMS:
lynx-2.8.8-1.rel2.3.1.mga5.src.rpm

Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Version: Cauldron => 5
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 7 Brian Rockwell 2017-02-18 17:16:16 CET 
32-bit version

Installed lynx and was able to browse around the Mageia website.  Seems to work from a base perspective

CC: (none) => brtians1
Whiteboard: (none) => mga5-32-ok

Dave Hodgins 2017-02-19 21:58:22 CET

CC: (none) => davidwhodgins
Whiteboard: mga5-32-ok => mga5-32-ok advisory

Comment 8 Dave Hodgins 2017-02-20 06:47:10 CET 
Trying http://www.google.ca?localhost both before and after the update fails, so
not sure how to recreate the bug.

Normal web browsing is working, so validating the update.

Keywords: (none) => validated_update
Whiteboard: mga5-32-ok advisory => mga5-32-ok advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2017-02-20 14:00:59 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0052.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED