| Summary: | lynx new security issue CVE-2021-38165 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | lynx-2.8.9-0.rel1.1.mga9.src.rpm | CVE: | CVE-2021-38165 |
| Status comment: | |||
|
Description
David Walser
2021-08-07 20:41:30 CEST
David Walser
2021-08-07 20:41:40 CEST
Whiteboard:
(none) =>
MGA8TOO This homeless SRPM has been committed by different people, so assigning this bug globally. Assignee:
bugsquad =>
pkg-bugs From reading the rest of the thread, it appears to be fixed in 2.9.0dev.9. Status comment:
(none) =>
Fixed upstream in 2.9.0dev.9 Debian has issued an advisory for this today (August 10): https://www.debian.org/security/2021/dsa-4953 Suggested advisory: ======================== The updated package fixes a security vulnerability: Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows remote attackers to discover cleartext credentials because they may appear in SNI data. (CVE-2021-38165) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38165 https://www.openwall.com/lists/oss-security/2021/08/07/9 https://www.debian.org/security/2021/dsa-4953 ======================== Updated packages in core/updates_testing: ======================== lynx-2.8.9-0.dev17.4.1.mga8 from SRPM: lynx-2.8.9-0.dev17.4.1.mga8.src.rpm Status:
NEW =>
ASSIGNED Fedora has issued an advisory for this today (September 8): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VKNK7GQBJBUBMJVNKVC7RTCYWUYMFJQW/ Severity:
normal =>
major mga8, x64 CVE-2021-38165 No idea how to go about testing this but invented a URL to expose the fault. $ lynx https://<user>:<password>@mageia.org Looking up mageia.org Making HTTPS connection to mageia.org SSL callback:self signed certificate, preverify_ok=0, ssl_okay=0 SSL callback:self signed certificate, preverify_ok=1, ssl_okay=1 lynx: Can't access startfile https://<user>:<password>@mageia.org/ User credentials in clear text. After update: Ran the dummy command. No sign of the user password in the terminal. "URL is not absolute". User screen appeared showing "Home of the Mageia project (p1 of 2)". Much of the page was in Afrikaans (presumably the first one in the language list). Read the Mageia Blog, logged in and logged out then quit. $ lynx https://exoplanet.eu/ That hung. $ https://apod.nasa.gov/apod/astropix.html The APOD page came up immediately. Followed a link in the text to another page, browsed that then back to the main page. Activated the Archive link and displayed an earlier APOD page. Invoked Help and then Keystroke commands. Tried a few on the help document then M to return to the main screen. Used d on the main picture to download it and rename it. That seemed to succeed but could not find it in Downloads. Exited and found the download in the current directory. The basic operations all work so this can go. Whiteboard:
(none) =>
MGA8-64-OK Validating Advisory in Comment 4. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Dave Hodgins
2021-09-22 21:41:05 CEST
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0422.html Status:
ASSIGNED =>
RESOLVED |