ArchLinux: 202108-9: lynx: information disclosure

Advisories

Arch Linux Security Advisory ASA-202108-9
=========================================

Severity: High
Date    : 2021-08-10
CVE-ID  : CVE-2021-38165
Package : lynx
Type    : information disclosure
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2261

Summary
=======

The package lynx before version 2.8.9-4 is vulnerable to information
disclosure.

Resolution
==========

Upgrade to 2.8.9-4.

# pacman -Syu "lynx>=2.8.9-4"

The problem has been fixed upstream but no release is available yet.

Workaround
==========

None.

Description
===========

HTParse in Lynx through 2.8.9 mishandles the userinfo subcomponent of a
URI, which allows remote attackers to discover cleartext credentials
because they may appear in SNI data or HTTP headers.

Impact
======

A remote attacker could retrieve HTTP Basic Authentication credentials.

References
==========

https://bugs.archlinux.org/task/71764
https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00002.html
https://lynx.invisible-island.net/current/CHANGES.html#index-v2.9.0dev.9
https://github.com/archlinux/svntogit-packages/blob/packages/lynx/trunk/CVE-2021-38165.diff
https://security.archlinux.org/CVE-2021-38165

ArchLinux: 202108-9: lynx: information disclosure

August 13, 2021
The package lynx before version 2.8.9-4 is vulnerable to information disclosure

Summary

HTParse in Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows remote attackers to discover cleartext credentials because they may appear in SNI data or HTTP headers.

Resolution

Upgrade to 2.8.9-4.
# pacman -Syu "lynx>=2.8.9-4"
The problem has been fixed upstream but no release is available yet.

References

https://bugs.archlinux.org/task/71764 https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00002.html https://lynx.invisible-island.net/current/CHANGES.html#index-v2.9.0dev.9 https://github.com/archlinux/svntogit-packages/blob/packages/lynx/trunk/CVE-2021-38165.diff https://security.archlinux.org/CVE-2021-38165

Severity
CVE-ID : CVE-2021-38165
Package : lynx
Type : information disclosure
Remote : Yes
Link : https://security.archlinux.org/AVG-2261

Impact

A remote attacker could retrieve HTTP Basic Authentication credentials.

Workaround

None.

Related News

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.