>
> [ forwarding to lynx-dev - see also followup forwarded separately ]
for the record:
the advisory was against "lynx-current", which is lynx2.8.3dev.8 - August 1999,
which of course is not current in any sense of the word.
The current version of lynx is 2.8.2
It's available at
http://lynx.browser.org
http://sol.slcc.edu/lynx/release
ftp://lynx.isc.org/lynx-2.8.2
2.8.3 Development & patches:
http://lynx.isc.org/current/index.html
> ---------- Forwarded message ----------
> Date: Fri, 17 Mar 2000 11:00:06 -0500
> From: Servio Medina <[EMAIL PROTECTED]>
> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> Subject: lynx 2.8.x - 'special URLs' anti-spoofing protection is weak
>
>
> Klaus,
>
> I just scanned through the posts that are archived at
> http://www.flora.org/lynx-dev/html/month111999/ in order to obtain further
> understanding of what security threats truly exist and what measures have
> been/are being taken to address these. A recent FreeBSD Security
> Announcement (see below) has brought more attention to this issue and I am
> hoping to receive appropriate clarification, where possible.
>
>
> An explanation of my query - I work for Infrastructure Defense, Inc., which
> provides private publications to fortune 500 companies about
> information/computer security trends, vulnerabilities, etc. I strive to
> contact the appropriate parties whenever there is a question as to the
> veracity of a post, claim, other. Hence, my email to you.
>
> I hope to hear from you soon.
> Servio
>
> Servio Medina - [EMAIL PROTECTED]
> Information Security Analyst
> www.idefense.com
>
> -----
> FreeBSD-SA-00:08 Security Advisory
> FreeBSD,
> Inc.
>
> Topic: Lynx ports contain numerous buffer overflows
>
> Category: ports
> Module: lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current
> Announced: 2000-03-15
> Affects: Ports collection before the correction date.
> Corrected: See below.
> FreeBSD only: NO
>
> I. Background
>
> Lynx is a popular text-mode WWW browser, available in several versions
> including SSL support and Japanese language localization.
>
> II. Problem Description
>
> The lynx software is written in a very insecure style and contains numerous
> potential and several proven security vulnerabilities (publicized on the
> BugTraq mailing list) exploitable by a malicious server.
>
> The lynx ports are not installed by default, nor are they "part of FreeBSD"
> as such: they are part of the FreeBSD ports collection, which contains over
> 3100 third-party applications in a ready-to-install format.
>
> FreeBSD makes no claim about the security of these third-party
> applications, although an effort is underway to provide a security audit
> of the most security-critical ports.
>
> III. Impact
>
> A malicious server which is visited by a user with the lynx browser can
> exploit the browser security holes in order to execute arbitrary code as
> the local user.
>
> If you have not chosen to install any of the
> lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current ports/packages, then
> your system is not vulnerable.
>
> IV. Workaround
>
> Remove the lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current ports, if you
> you have installed them.
>
> V. Solution
>
> Unfortunately, there is no simple fix to the security problems with the
> lynx code: it will require a full review by the lynx development team and
> recoding of the affected sections with a more security-conscious attitude.
>
> In the meantime, there are two other text-mode WWW browsers available in
> FreeBSD ports: www/w3m (also available in www/w3m-ssl for an SSL-enabled
> version, and japanese/w3m for Japanese-localization) and www/links.
>
> Note that the FreeBSD Security Officer does not make any recommendation
> about the security of these two browsers - in particular, they both appear
> to contain potential security risks, and a full audit has not been
> performed, but at present no proven security holes are known. User beware -
> please watch for future security advisories which will publicize any such
> vulnerabilities discovered in these ports.
>
> --- End report ---
>
>
--
Thomas E. Dickey
[EMAIL PROTECTED]
http://www.clark.net/pub/dickey
