The dev.22/dev.23 changes address that; barring any serious bugs introduced
in the process, we'll be putting up a pre-release in the next day or so.
The current version of lynx is 2.8.2
It's available at
http://lynx.browser.org
http://sol.slcc.edu/lynx/release
ftp://lynx.isc.org/lynx-2.8.2
2.8.3 Development & patches:
http://lynx.isc.org/current/index.html
> Is there an anticiapted release date for a secure version of lynx. I had
> to disable lynx services and I need to find out when a fix will be
> available. There is a security advisory on the bottom of this e-mail that
> was sent out by FreeBSD. I would appreciate any help. Please feel free to
> contact me.
>
> Thanks in advance,
> -Danovan
>
> =============================================================
> Danovan Golding, Systems/Network Analyst
> Department of University Systems and Security
> Fairleigh Dickinson University
> M/S Robison Hall R52A, T120I
> 1000 River Road
> Teaneck, NJ 07666
> Phone: 201-692-2414
> Fax: 201-692-2494
> Email: [EMAIL PROTECTED]
>
>
> ---------- Forwarded message ----------
> Date: Wed, 15 Mar 2000 09:34:43 -0800
> From: FreeBSD Security Officer <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: FreeBSD Security Advisory: FreeBSD-SA-00:08.lynx
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> =============================================================================
> FreeBSD-SA-00:08 Security Advisory
> FreeBSD, Inc.
>
> Topic: Lynx ports contain numerous buffer overflows
>
> Category: ports
> Module: lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current
> Announced: 2000-03-15
> Affects: Ports collection before the correction date.
> Corrected: See below.
> FreeBSD only: NO
>
> I. Background
>
> Lynx is a popular text-mode WWW browser, available in several versions
> including SSL support and Japanese language localization.
>
> II. Problem Description
>
> The lynx software is written in a very insecure style and contains numerous
> potential and several proven security vulnerabilities (publicized on the
> BugTraq mailing list) exploitable by a malicious server.
>
> The lynx ports are not installed by default, nor are they "part of FreeBSD"
> as such: they are part of the FreeBSD ports collection, which contains over
> 3100 third-party applications in a ready-to-install format.
>
> FreeBSD makes no claim about the security of these third-party
> applications, although an effort is underway to provide a security audit
> of the most security-critical ports.
>
> III. Impact
>
> A malicious server which is visited by a user with the lynx browser can
> exploit the browser security holes in order to execute arbitrary code as
> the local user.
>
> If you have not chosen to install any of the
> lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current ports/packages, then
> your system is not vulnerable.
>
> IV. Workaround
>
> Remove the lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current ports, if you
> you have installed them.
>
> V. Solution
>
> Unfortunately, there is no simple fix to the security problems with the
> lynx code: it will require a full review by the lynx development team and
> recoding of the affected sections with a more security-conscious attitude.
>
> In the meantime, there are two other text-mode WWW browsers available in
> FreeBSD ports: www/w3m (also available in www/w3m-ssl for an SSL-enabled
> version, and japanese/w3m for Japanese-localization) and www/links.
>
> Note that the FreeBSD Security Officer does not make any recommendation
> about the security of these two browsers - in particular, they both appear
> to contain potential security risks, and a full audit has not been
> performed, but at present no proven security holes are known. User beware -
> please watch for future security advisories which will publicize any such
> vulnerabilities discovered in these ports.
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
>
> iQCVAwUBOM/JklUuHi5z0oilAQEbzQP+K5HbTRk40fmb+pKOcUDD/r4ofcrkWtXn
> Ya7PT/ALXvUnohm/jqKofNk9cXK1EspbgHb9N1OJZEzcYUAy378WpQgWh4uxKQa7
> +541CwFPPIbWfJQJCOaUODN2qwnXdqXMj6noCKRMN0c3tBRG6R2zEfVaM1vMNS1+
> +vcp5WAqDu4=
> =dtMU
> -----END PGP SIGNATURE-----
>
> (message from unsubscribed address forwarded by Lynx-Dev moderator)
>
>
--
Thomas E. Dickey
[EMAIL PROTECTED]
http://www.clark.net/pub/dickey
