[pkg-lynx-maint] Bug#991971: Bug#991971: [CVE-2021-38165] lynx: bug in SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)

Moritz Mühlenhoff jmm at inutil.org
Sun Aug 8 10:58:52 BST 2021


Am Sun, Aug 08, 2021 at 01:54:56AM +0200 schrieb Axel Beckert:
> Hi Andreas,
> 
> Andreas Metzler wrote:
> > > > tags 991971 fixed-upstream
> > > Bug #991971 [lynx] lynx: SSL certificate validation fails with URLs containing user name or user name and password, i.e. https://user:password@host/ and https://user@host/; leaks password in clear text via SNI
> > > Added tag(s) fixed-upstream.
> > 
> > Hello,
> > 
> > I have just uploaded .9 to experimental.
> 
> Thanks a lot! Went to bed in the morning last night, so I was really
> happy to see at least Experimental already being fixed when I woke up
> again.
> 
> > The deadline for bulleye unblock requests has passed, so we will
> > need to fix this by security/point release.
> 
> Hrm, right, thanks for the reminder.
> 
> I nevertheless will update Unstable with a fix. It might be helpful
> for the Security Team (Cc'ed) or us to prepare a stable-update for
> Bullseye.
> 
> Security Team: Do you think the fix for CVE-2021-38165 should get a
> DSA? Or do you think it's not important enough and we should target a
> minor stable update for it?

This breaks a pretty fundamental security assumption for a browser, so
we should fix it via -security, even though lynx is a fringe browser.

bullseye-security is operational, so we can do both at the same time
so that bullseye will be fixed from day one.

Cheers,
        Moritz



More information about the pkg-lynx-maint mailing list