\; leaks password in clear text via SNI)

Debian Bug Tracking System Fri, 27 Aug 2021 04:21:28 -0700

Your message dated Fri, 27 Aug 2021 11:19:43 +0000
with message-id <[email protected]>
and subject line Bug#991971: fixed in lynx 2.8.9rel.1-3+deb10u1
has caused the Debian Bug report #991971,
regarding lynx: [CVE-2021-38165] SSL certificate validation fails with URLs 
containing user name or user name and password, i.e. 
https://user:password@host/ and https://user@host/\; leaks password in clear 
text via SNI
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
991971: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991971
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: lynx
Version: 2.9.0dev.8-1
Severity: important
Tags: upstream, confirmed
Control: forwarded -1 
https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00000.html
Control: found -1 2.8.9dev1-2+deb8u1
Control: found -1 2.8.9dev11-1
Control: found -1 2.8.9rel.1-3
Control: found -1 2.9.0dev.6-2

Thorsten Glaser reported the following on the upstream dev mailing list
at https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00000.html
(citing the parts that affect Debian, i.e. those when compiled against
GnuTLS and not OpenSSL):

> this affects both OpenSSL and Debian’s nonGNUtls builds:
> 
> lynx https://user:pass@host/
>
> … will lead to…
[…]
> SSL error:host(user:pass@host)!=cert(CN<mainhost>)-Continue? (n)
>
> … for nonGNUtls lynx.
> 
> Obviously, user:pass@ need to be stripped before comparing. The
> nonGNUtls version could also be changed to display the
> subjectAltName''s the certificate has like the OpenSSL one does (after
> my patch from ages ago; […]

https://user@host/ is affected as well.

I was able to reproduce this issue in Lynx in all currently (in some
way) supported releases of Debian back to Debian 8 Jessie with ELTS
support and also in the most recent version in Debian Experimental.

P.S. to Thorsten: Feel free to set yourself as submitter of this bug
report. ☺

-- System Information:
Debian Release: 11.0
  APT prefers unstable
  APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'), 
(500, 'testing-security'), (500, 'buildd-unstable'), (110, 'experimental'), (1, 
'experimental-debug'), (1, 'buildd-experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages lynx depends on:
ii  libbsd0       0.11.3-1
ii  libbz2-1.0    1.0.8-4
ii  libc6         2.31-13
ii  libgnutls30   3.7.1-5
ii  libidn2-0     2.3.0-5
ii  libncursesw6  6.2+20201114-2
ii  libtinfo6     6.2+20201114-2
ii  lynx-common   2.9.0dev.6-2
ii  zlib1g        1:1.2.11.dfsg-2

Versions of packages lynx recommends:
ii  mime-support  3.66

lynx suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: lynx
Source-Version: 2.8.9rel.1-3+deb10u1
Done: Axel Beckert <[email protected]>

We believe that the bug you reported is fixed in the latest version of
lynx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Axel Beckert <[email protected]> (supplier of updated lynx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 10 Aug 2021 01:54:10 +0200
Source: lynx
Architecture: source
Version: 2.8.9rel.1-3+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian Lynx Packaging Team <[email protected]>
Changed-By: Axel Beckert <[email protected]>
Closes: 991971
Changes:
 lynx (2.8.9rel.1-3+deb10u1) buster-security; urgency=high
 .
   * Apply fix from Lynx 2.9.0dev.9 for CVE-2021-38165 to fix leakage of
     username and password in the TLS 1.2 SNI Extension if username and
     password were given in the URL, i.e. as https://user:[email protected]/
     (Closes: #991971)
Checksums-Sha1:
 f8c7f55657011b3a391a4b2a03bab682e3f7497f 2560 lynx_2.8.9rel.1-3+deb10u1.dsc
 3e00ac30d008e0aa879bfd037abcfd9c0dd2faec 2689171 lynx_2.8.9rel.1.orig.tar.bz2
 60ad87a45201396c291931d86411f35a8a4af97f 251 lynx_2.8.9rel.1.orig.tar.bz2.asc
 e2f097c682aa263db6b72094ebc60f17e0c06811 29404 
lynx_2.8.9rel.1-3+deb10u1.debian.tar.xz
 4e3a35e0dbb518150f6890c33fde4ba77ea63566 7143 
lynx_2.8.9rel.1-3+deb10u1_source.buildinfo
Checksums-Sha256:
 bbab09e6482a4f433fc6063cc34f0353882b9fb4dfc10c8987959e58db00b312 2560 
lynx_2.8.9rel.1-3+deb10u1.dsc
 387f193d7792f9cfada14c60b0e5c0bff18f227d9257a39483e14fa1aaf79595 2689171 
lynx_2.8.9rel.1.orig.tar.bz2
 2cb6cf09763d58ec6951bc0bf4cf2836983756fb168f486d30f0a3921304408b 251 
lynx_2.8.9rel.1.orig.tar.bz2.asc
 0578691571d26b702748845e0acf2436e04b9c75b9e7d643465c23a1170bb8f4 29404 
lynx_2.8.9rel.1-3+deb10u1.debian.tar.xz
 fb0a2488cc3ad65e194f2fd9a74d74a6c517deac5808a72b9631c8001ee762d2 7143 
lynx_2.8.9rel.1-3+deb10u1_source.buildinfo
Files:
 ac5876d02e4878400ebbea60e6481107 2560 web optional 
lynx_2.8.9rel.1-3+deb10u1.dsc
 44316f1b8a857b59099927edc26bef79 2689171 web optional 
lynx_2.8.9rel.1.orig.tar.bz2
 d0cd3214b950926ddfc88a7c6d35cec8 251 web optional 
lynx_2.8.9rel.1.orig.tar.bz2.asc
 e45c95752470dc4a06b9d9e4f0e865f6 29404 web optional 
lynx_2.8.9rel.1-3+deb10u1.debian.tar.xz
 12020315232c68b3b4e1b58948e4ffb0 7143 web optional 
lynx_2.8.9rel.1-3+deb10u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEERoyJeTtCmBnp12Ema+Zjx1o1yXUFAmERzU8ACgkQa+Zjx1o1
yXV+Eg/9HZMmVHM0424x4CN8idgGlTD82sO9Ht/5yyaa5TAkstQ35WS488Gr2SKU
GRUPiRQG3RIQ/1ae9hWKCB+BvQuhLkafFFoxiuQ+I5Z/scmyPkYqcc4IUgBgla/i
e+Q/zMhN62BxJyGKNRWR2Vty52dtOSlmkUFd/klynNGFehghLBWFSxnTRLbx3aer
EshAoW+MlnxbLoDMzCP4jfePzz6UWi/uG5LjZZ4N5GWzd4H6tEn4nwpkxOT2T/uy
9XqBaCwG7tIw34eZ3hgBRIHawV6aXvgeZPUAqI+unrbzeH2COkrTjhlem1ra1w+n
9HxbIyDlvKIuYMqjgL3kRQtUTHV9XA1/s0HgKmSOdiuEynm/ofvWhhIYdi+1AYQ/
E0zEFwVgQmPfGXzlnt0moFNWm+f5NijdHd//1vfUsH5RQCBn63FW+IfenTlzra6j
Q6n0NogzRu8nCdePrnstGRe2SXQUdzpGJjdNTTmZiW8DGqcwKy7OwgLkp+pqTJQq
Y3ruCsi37qaueAGI2RFU0WLvvOuqa2obF+APblzVcUeuLk5krL8ZDfk8cOP77Y7z
OTz6Lk+faDir9i782Zo2hg/bDXSMiSlrgNMhkQqW8684yRCzb2jCg4JapK73CcXs
ezXZ2PQYL8fm51sAIbBtskE/N0kQa/yBmg6t3zlio2pI/la8t4I=
=okwX
-----END PGP SIGNATURE-----

--- End Message ---

Bug#991971: marked as done (lynx: [CVE-2021-38165] SSL certificate validation fails with URLs containing user name or user name and password, i.e. https://user:password@host/ and https://user@host/\; leaks password in clear text via SNI)

Reply via email to