Explore top 10 tips to secure your open-source projects now. Read More
×Moderate: lynx security update. {"type": "TYPE_SECURITY", "shortCode": "RL", "name": "RLSA-2022:2129", "synopsis": "Moderate: lynx security update", "severity": "SEVERITY_MODERATE", "topic": "An update is available for lynx.\nThis update affects Rocky Linux 8.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list", "description": "Lynx is a text-based Web browser. Lynx does not display any images, but it does support frames, tables, and most other HTML tags.\n\nSecurity Fix(es):\n\n* lynx: Disclosure of HTTP authentication credentials via SNI data (CVE-2021-38165)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Rocky Linux 8.6 Release Notes linked from the References section.", "solution": null, "affectedProducts": ["Rocky Linux 8"], "fixes": [{"ticket": "1994998", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=1994998", "description": ""}], "cves": [{"name": "CVE-2021-38165", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38165", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "cvss3BaseScore": "5.3", "cwe": "CWE-522"}], "references": [], "publishedAt": "2026-06-28T00:01:40.098233Z", "rpms": {"Rocky Linux 8": {"nvras": ["lynx-debuginfo-0:2.8.9-4.el8.aarch64.rpm", "lynx-0:2.8.9-4.el8.aarch64.rpm", "lynx-0:2.8.9-4.el8.src.rpm", "lynx-0:2.8.9-4.el8.x86_64.rpm", "lynx-debuginfo-0:2.8.9-4.el8.x86_64.rpm", "lynx-debugsource-0:2.8.9-4.el8.aarch64.rpm", "lynx-debugsource-0:2.8.9-4.el8.x86_64.rpm"]}}, "rebootSuggested": false, "buildReferences": []}. Lynx security update for Rocky Linux addresses moderate risks, including HTTP credential exposure. Read more.. Rocky Linux Lynx Update CredentialExposure Web Browser. . Severity: moderate. LinuxSecurity.com Team
An update for lynx is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: lynx security update Advisory ID: RHSA-2022:2129-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:2129 Issue date: 2022-05-10 CVE Names: CVE-2021-38165 ==================================================================== 1. Summary: An update for lynx is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: Lynx is a text-based Web browser. Lynx does not display any images, but it does support frames, tables, and most other HTML tags. Security Fix(es): * lynx: Disclosure of HTTP authentication credentials via SNI data (CVE-2021-38165) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.6 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed(https://bugzilla.redhat.com/): 1994998 - CVE-2021-38165 lynx: Disclosure of HTTP authentication credentials via SNI data 6. Package List: Red Hat CodeReady Linux Builder (v. 8): Source: lynx-2.8.9-4.el8.src.rpm aarch64: lynx-2.8.9-4.el8.aarch64.rpm lynx-debuginfo-2.8.9-4.el8.aarch64.rpm lynx-debugsource-2.8.9-4.el8.aarch64.rpm ppc64le: lynx-2.8.9-4.el8.ppc64le.rpm lynx-debuginfo-2.8.9-4.el8.ppc64le.rpm lynx-debugsource-2.8.9-4.el8.ppc64le.rpm s390x: lynx-2.8.9-4.el8.s390x.rpm lynx-debuginfo-2.8.9-4.el8.s390x.rpm lynx-debugsource-2.8.9-4.el8.s390x.rpm x86_64: lynx-2.8.9-4.el8.x86_64.rpm lynx-debuginfo-2.8.9-4.el8.x86_64.rpm lynx-debugsource-2.8.9-4.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2021-38165 https://access.redhat.com/security/updates/classification#moderate https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/8.6_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIUAwUBYnqQmNzjgjWX9erEAQiSbQ/2MC9CC7KGlaV1ZRGVWkWC4+oc6o7bK8GF FpL1RgHNjs3FnTrRkFiy73V6mAptC2chrl7vufNLyxcvNRKiIX9VILJyMK2C967N TAWjwCBmUPzwQ1fjQBo1ss1LYWPLT03q+AADIrQXPV5fBbzlPnQSyN205rVv9xMb x9p09dh3gaIcyrBtko4RzCD2/w3vAy0pb64SxLks1tMVLQ7xtcF2M5HwHHCUigfx QHpPf2Uf4wyPPyjoe0HldZAnpTNCm7+WfV0NbBtzntLYSZCj/GA1AuKbmKotAImZ IkcFYwNCdOoVknsXdNpyEB6DzZgMqe88TZCqgSBfvs3ngJXtiAy/Jgyx9QEQ9VRv 5PXBUVpHpfwp7p6ypOe4CHuDzx8EHnx9GOwVxL2YDjhOKLSZHXyCnPJZkxd1VdIR CfUblKoveKhE4wl1HIZ36CB6lAuWS3c/oYhod+OXR/Zn8NX05qzhbFvDSEefmQeq q/QrP23R5bd5nRLSlRm+kic64xPpHVs8sH29oAJ9E32j+gHiLabFiyh7uFMohJY1 HiN2Wj8q5r8+D+AZC1fDZvk9oxZaNBl1jAxEEiQjuuzE1lzEtJUDS+hZRC1GZDK4 weYf00dqXwhpcMx5vAWTbGnS8Ngsy4QgNxN93yKw2pdFczw6L+v9pkXYwoZ3u2Xr PnLo+xAGKA==+W// -----END PGPSIGNATURE----- -- RHSA-announce mailing list
Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows remote attackers to discover cleartext credentials because they may appear in SNI data. (CVE-2021-38165) References: . MGASA-2021-0422 - Updated lynx packages fix security vulnerability Publication date: 23 Sep 2021 URL: https://advisories.mageia.org/MGASA-2021-0422.html Type: security Affected Mageia releases: 8 CVE: CVE-2021-38165 Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows remote attackers to discover cleartext credentials because they may appear in SNI data. (CVE-2021-38165) References: - https://bugs.mageia.org/show_bug.cgi?id=29342 - https://www.openwall.com/lists/oss-security/2021/08/07/9 - https://lists.debian.org/debian-security-announce/2021/msg00136.html - https://www.cve.org/CVERecord?id=CVE-2021-38165 SRPMS: - 8/core/lynx-2.8.9-0.dev17.4.1.mga8 . New Lynx versions address security vulnerabilities in Mageia 8, released on 23 Sep 2021.. Mageia Lynx Security Fix, Credential Exposure, Remote Attack Mitigation. . Severity: Important. LinuxSecurity.com Team
- fix disclosure of HTTP auth credentials via SNI data (CVE-2021-38165). --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2021-f59bda7d94 2021-09-08 15:05:54.167624 --------------------------------------------------------------------------------Name : lynx Product : Fedora 34 Version : 2.8.9 Release : 13.fc34 URL : http://lynx.browser.org/ Summary : A text-based Web browser Description : Lynx is a text-based Web browser. Lynx does not display any images, but it does support frames, tables, and most other HTML tags. One advantage Lynx has over graphical browsers is speed; Lynx starts and exits quickly and swiftly displays web pages. --------------------------------------------------------------------------------Update Information: - fix disclosure of HTTP auth credentials via SNI data (CVE-2021-38165) --------------------------------------------------------------------------------ChangeLog: * Tue Aug 31 2021 Kamil Dudka - 2.8.9-13 - fix disclosure of HTTP auth credentials via SNI data (CVE-2021-38165) * Thu Jul 22 2021 Fedora Release Engineering - 2.8.9-12 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild --------------------------------------------------------------------------------References: [ 1 ] Bug #1994998 - CVE-2021-38165 lynx: Disclosure of HTTP authentication credentials via SNI data https://bugzilla.redhat.com/show_bug.cgi?id=1994998 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2021-f59bda7d94' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
The package lynx before version 2.8.9-4 is vulnerable to information disclosure. . Arch Linux Security Advisory ASA-202108-9 ======================================== Severity: High Date : 2021-08-10 CVE-ID : CVE-2021-38165 Package : lynx Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-2261 Summary ====== The package lynx before version 2.8.9-4 is vulnerable to information disclosure. Resolution ========= Upgrade to 2.8.9-4. # pacman -Syu "lynx> =2.8.9-4" The problem has been fixed upstream but no release is available yet. Workaround ========= None. Description ========== HTParse in Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows remote attackers to discover cleartext credentials because they may appear in SNI data or HTTP headers. Impact ===== A remote attacker could retrieve HTTP Basic Authentication credentials. References ========= https://bugs.archlinux.org/task/71764 https://lynx.invisible-island.net/current/CHANGES.html#index-v2.9.0dev.9 https://github.com/archlinux/svntogit-packages/blob/packages/lynx/trunk/CVE-2021-38165.diff https://security.archlinux.org/CVE-2021-38165 . Debian Security Notice DSN-202109-8 highlights a critical vulnerability affecting wget. Immediate update suggested.. Arch Linux, Lynx Security, Information Disclosure, Remote Vulnerability. . LinuxSecurity.com Team
Thorsten Glaser and Axel Beckert reported that lynx, a non-graphical (text-mode) web browser, does not properly handle the userinfo subcomponent of a URI, which can lead to leaking of credential in cleartext in SNI data. . - ------------------------------------------------------------------------- Debian Security Advisory DSA-4953-1
- update to the latest upstream pre-release (fixes CVE-2017-1000211). --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2017-bf172b2035 2017-12-26 15:02:57.897176 --------------------------------------------------------------------------------Name : lynx Product : Fedora 26 Version : 2.8.9 Release : 0.20.dev16.fc26 URL : http://lynx.browser.org/ Summary : A text-based Web browser Description : Lynx is a text-based Web browser. Lynx does not display any images, but it does support frames, tables, and most other HTML tags. One advantage Lynx has over graphical browsers is speed; Lynx starts and exits quickly and swiftly displays web pages. --------------------------------------------------------------------------------Update Information: - update to the latest upstream pre-release (fixes CVE-2017-1000211) --------------------------------------------------------------------------------References: [ 1 ] Bug #1522617 - CVE-2017-1000211 lynx: Use after free in HTML.c:HTML_put_string() can lead to memory disclosure https://bugzilla.redhat.com/show_bug.cgi?id=1522617 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade lynx' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list --
Two security issues were fixed in Lynx.. =========================================================================Ubuntu Security Notice USN-1642-1 November 29, 2012 lynx-cur vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.10 - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 10.04 LTS Summary: Two security issues were fixed in Lynx. Software Description: - lynx-cur: Text-mode WWW Browser with NLS support Details: Dan Rosenberg discovered a heap-based buffer overflow in Lynx. If a user were tricked into opening a specially crafted page, a remote attacker could cause a denial of service via application crash, or possibly execute arbitrary code as the user invoking the program. This issue only affected Ubuntu 10.04 LTS. (CVE-2010-2810) It was discovered that Lynx did not properly verify that an HTTPS certificate was signed by a trusted certificate authority. This could allow an attacker to perform a "man in the middle" (MITM) attack which would make the user believe their connection is secure, but is actually being monitored. This update changes the behavior of Lynx such that self-signed certificates no longer validate. Users requiring the previous behavior can use the 'FORCE_SSL_PROMPT' option in lynx.cfg. (CVE-2012-5821) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.10: lynx-cur 2.8.8dev.12-2ubuntu0.1 Ubuntu 12.04 LTS: lynx-cur 2.8.8dev.9-2ubuntu0.12.04.1 Ubuntu 11.10: lynx-cur 2.8.8dev.9-2ubuntu0.11.10.1 Ubuntu 10.04 LTS: lynx-cur 2.8.8dev.2-1ubuntu0.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-1642-1 CVE-2010-2810, CVE-2012-5821 Package Information: https://launchpad.net/ubuntu/+source/lynx-cur/2.8.8dev.12-2ubuntu0.1 https://launchpad.net/ubuntu/+source/lynx-cur/2.8.8dev.9-2ubuntu0.12.04.1 https://launchpad.net/ubuntu/+source/lynx-cur/2.8.8dev.9-2ubuntu0.11.10.1 https://launchpad.net/ubuntu/+source/lynx-cur/2.8.8dev.2-1ubuntu0.1 . Immediate security patches for Lynx in Ubuntu address severe vulnerabilities linked to buffer overflow and potential Man-In-The-Middle threats.. lynx security updates, ubuntu vulnerabilities, buffer overflow fix, man in the middle attack. . Severity: Critical. LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.