[Bug 257812] patch and update ww/lynx-current affected by CVE-2021-38165

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 257812] patch and update ww/lynx-current affected by CVE-2021-38165"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 13 Aug 2021 16:03:47 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=257812

            Bug ID: 257812
           Summary: patch and update ww/lynx-current affected by
                    CVE-2021-38165
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs@FreeBSD.org
          Reporter: ps.ports@smyrak.com
                CC: adamw@FreeBSD.org

Created attachment 227163
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=227163&action=edit
patch to the www/lynx-current port

www/lynx* ports are vulnerable to CVE-2021-38165

They will leak HTTP username and password by not stripping them when
constructing a hostname for HTTPS SNI. See [1] for the vulnerability thread.

The attached patch updates the www/lynx-current port to an August release of
lynx2.9.0dev.9 as published on [2], adjusts the FTP master site according to
the release announcement, and updates makefile.in patch not to conflict with
the newer version.

1. https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00000.html
2. https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00008.html

-- 
You are receiving this mail because:
You are the assignee for the bug.