[pkg-lynx-maint] Bug#991971: Bug#991971: [CVE-2021-38165] lynx: bug in SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)
Axel Beckert
abe at debian.org
Sun Aug 8 11:14:16 BST 2021
Hi Moritz,
Moritz Mühlenhoff wrote:
> > Security Team: Do you think the fix for CVE-2021-38165 should get a
> > DSA? Or do you think it's not important enough and we should target a
> > minor stable update for it?
>
> This breaks a pretty fundamental security assumption for a browser,
Ack.
> so we should fix it via -security, even though lynx is a fringe
> browser.
Good. Anything which gets the fix into bullseye (and preferably also
buster) rather sooner than later is fine for me.
> bullseye-security is operational, so we can do both at the same time
> so that bullseye will be fixed from day one.
That'd be great, thanks!
Feel free to base the security upload upon 2.9.0dev.6-3 which I
uploaded just recently. From my point of view nothing except the first
and last line of the debian/changelog entry needs to be changed for
bullseye-security.
I can also look into how well the patch applies to buster's version of
Lynx, but it might take until Monday.
Regards, Axel
--
,''`. | Axel Beckert <abe at debian.org>, https://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-lynx-maint/attachments/20210808/a3fe85d4/attachment-0001.sig>
More information about the pkg-lynx-maint
mailing list