[pkg-lynx-maint] Bug#991971: Bug#991971: [CVE-2021-38165] lynx: bug in SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)

[Salvatore Bonaccorso]

Axel,

On Sun, Aug 08, 2021 at 12:14:16PM +0200, Axel Beckert wrote:
> Hi Moritz,
> 
> Moritz Mühlenhoff wrote:
> > > Security Team: Do you think the fix for CVE-2021-38165 should get a
> > > DSA? Or do you think it's not important enough and we should target a
> > > minor stable update for it?
> > 
> > This breaks a pretty fundamental security assumption for a browser,
> 
> Ack.
> 
> > so we should fix it via -security, even though lynx is a fringe
> > browser.
> 
> Good. Anything which gets the fix into bullseye (and preferably also
> buster) rather sooner than later is fine for me.
> 
> > bullseye-security is operational, so we can do both at the same time
> > so that bullseye will be fixed from day one.
> 
> That'd be great, thanks!
> 
> Feel free to base the security upload upon 2.9.0dev.6-3 which I
> uploaded just recently. From my point of view nothing except the first
> and last line of the debian/changelog entry needs to be changed for
> bullseye-security.

Do I understand correctly you currently have not capactity to prepare
that upload? If so I can happily chime in, but if you as maintainr
will that will be perfectly preferable. If so: I suggest: just do a
~deb11u1 on top of the current unstable upload, with changelog entry
"Rebuild for bullseye-security", then pass -v2.9.0dev.6-2 to
dpkg-genchanges invocation, to include all changelog entries from
2.9.0dev.6-3 up to 2.9.0dev.6-3~deb11u1 in to changes file. Make sure
to build with -sa, as lynx/2.9.0dev.6 is new for dak on
security-master.

> 
> I can also look into how well the patch applies to buster's version of
> Lynx, but it might take until Monday.

Thank you!

Salvatore