A CVE has been issued for a security issue in lynx discussed in this thread: https://www.openwall.com/lists/oss-security/2021/08/07/9 Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
This homeless SRPM has been committed by different people, so assigning this bug globally.
Assignee: bugsquad => pkg-bugs
From reading the rest of the thread, it appears to be fixed in 2.9.0dev.9.
Status comment: (none) => Fixed upstream in 2.9.0dev.9
Debian has issued an advisory for this today (August 10): https://www.debian.org/security/2021/dsa-4953
Suggested advisory: ======================== The updated package fixes a security vulnerability: Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows remote attackers to discover cleartext credentials because they may appear in SNI data. (CVE-2021-38165) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38165 https://www.openwall.com/lists/oss-security/2021/08/07/9 https://www.debian.org/security/2021/dsa-4953 ======================== Updated packages in core/updates_testing: ======================== lynx-2.8.9-0.dev17.4.1.mga8 from SRPM: lynx-2.8.9-0.dev17.4.1.mga8.src.rpm
Status: NEW => ASSIGNEDStatus comment: Fixed upstream in 2.9.0dev.9 => (none)CC: (none) => nicolas.salgueroAssignee: pkg-bugs => qa-bugsWhiteboard: MGA8TOO => (none)CVE: (none) => CVE-2021-38165Version: Cauldron => 8
Fedora has issued an advisory for this today (September 8): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VKNK7GQBJBUBMJVNKVC7RTCYWUYMFJQW/
Severity: normal => major
mga8, x64 CVE-2021-38165 No idea how to go about testing this but invented a URL to expose the fault. $ lynx https://<user>:<password>@mageia.org Looking up mageia.org Making HTTPS connection to mageia.org SSL callback:self signed certificate, preverify_ok=0, ssl_okay=0 SSL callback:self signed certificate, preverify_ok=1, ssl_okay=1 lynx: Can't access startfile https://<user>:<password>@mageia.org/ User credentials in clear text. After update: Ran the dummy command. No sign of the user password in the terminal. "URL is not absolute". User screen appeared showing "Home of the Mageia project (p1 of 2)". Much of the page was in Afrikaans (presumably the first one in the language list). Read the Mageia Blog, logged in and logged out then quit. $ lynx https://exoplanet.eu/ That hung. $ https://apod.nasa.gov/apod/astropix.html The APOD page came up immediately. Followed a link in the text to another page, browsed that then back to the main page. Activated the Archive link and displayed an earlier APOD page. Invoked Help and then Keystroke commands. Tried a few on the help document then M to return to the main screen. Used d on the main picture to download it and rename it. That seemed to succeed but could not find it in Downloads. Exited and found the download in the current directory. The basic operations all work so this can go.
Whiteboard: (none) => MGA8-64-OKCC: (none) => tarazed25
Validating Advisory in Comment 4.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0422.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED