A CVE has been issued for a security issue in lynx discussed in this thread:
Mageia 8 is also affected.
This homeless SRPM has been committed by different people, so assigning this bug globally.
From reading the rest of the thread, it appears to be fixed in 2.9.0dev.9.
Fixed upstream in 2.9.0dev.9
Debian has issued an advisory for this today (August 10):
The updated package fixes a security vulnerability:
Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows remote attackers to discover cleartext credentials because they may appear in SNI data. (CVE-2021-38165)
Updated packages in core/updates_testing:
Fixed upstream in 2.9.0dev.9 =>
Fedora has issued an advisory for this today (September 8):
No idea how to go about testing this but invented a URL to expose the fault.
$ lynx https://<user>:<password>@mageia.org
Looking up mageia.org
Making HTTPS connection to mageia.org
SSL callback:self signed certificate, preverify_ok=0, ssl_okay=0
SSL callback:self signed certificate, preverify_ok=1, ssl_okay=1
lynx: Can't access startfile https://<user>:<password>@mageia.org/
User credentials in clear text.
Ran the dummy command. No sign of the user password in the terminal. "URL is not absolute".
User screen appeared showing "Home of the Mageia project (p1 of 2)". Much of the page was in Afrikaans (presumably the first one in the language list). Read the Mageia Blog, logged in and logged out then quit.
$ lynx https://exoplanet.eu/
The APOD page came up immediately. Followed a link in the text to another page, browsed that then back to the main page. Activated the Archive link and displayed an earlier APOD page.
Invoked Help and then Keystroke commands. Tried a few on the help document then M to return to the main screen. Used d on the main picture to download it and rename it. That seemed to succeed but could not find it in Downloads. Exited and found the download in the current directory.
The basic operations all work so this can go.
Validating Advisory in Comment 4.