Regarding SA22920 (ELinks "smb" Protocol File Upload/Download Vulnerability). You list three "solutions": Don't visit untrusted web sites; Implement restrictive firewall rules for SMB traffic; Uninstall the smbclient program from systems where it is not needed.
I would like to note that it is also possible to disable SMB support from ELinks at compile time, by configuring it with the --disable-smb option or by changing CONFIG_SMB=yes to CONFIG_SMB=no in the features.conf file. Then, AFAICT, the resulting elinks executable will not use smbclient (src/protocol/smb/smb.c is not compiled). To check whether SMB support was enabled in a given executable, one can choose Help->About and look for "SMB" in the features list; or choose Setup->Options manager, expand the Protocols folder, and see if SMB is listed there. These work in 0.11.1 and 0.12.GIT at least; I don't know about older versions. (I have not personally confirmed this SMB vulnerability but it could be true.)
pgpE7TNq33v8U.pgp
Description: PGP signature
_______________________________________________ elinks-dev mailing list elinks-dev@linuxfromscratch.org http://linuxfromscratch.org/mailman/listinfo/elinks-dev
