[pkg-lynx-maint] Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)
Thomas Dickey
dickey at his.com
Sat Aug 7 20:53:11 BST 2021
On Sat, Aug 07, 2021 at 08:17:31PM +0200, Salvatore Bonaccorso wrote:
> Hi Axel,
...
> MITRE did assign CVE-2021-38165. MITRE raised the question: Does
> 2.9.0dev.9 (mentioned on the
> https://lynx.invisible-island.net/current/CHANGES.html page) fix the
> entire problem?
> https://www.openwall.com/lists/oss-security/2021/08/07/7 claims that
> credentials appear in the HTTP Host header to an http:// (i.e.,
> non-SSL) website.
I considered that possibility, but (using Axel's hint on how he tested)
found nothing in the data shown in "Follow TCP Stream" for this case.
Perhaps you could explain how you've tested this case, and how to repeat
the results.
(the suggested patch by the way is unsuitable because it breaks the
known-to-be-insecure use of user credentials in a non-HTTPS URL)
--
Thomas E. Dickey <dickey at invisible-island.net>
https://invisible-island.net
ftp://ftp.invisible-island.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-lynx-maint/attachments/20210807/70978052/attachment-0001.sig>
More information about the pkg-lynx-maint
mailing list