Debian Security Advisory
DLA-2736-1 lynx -- LTS security update
- Date Reported:
- 09 Aug 2021
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2021-38165.
- More information:
It was discovered that there was a remote authentication credential leak in the "lynx" text-based web browser.
The package now correctly handles authentication subcomponents in URIs (eg. https://user:email@example.com) to avoid remote attackers discovering cleartext credentials in SSL connection data.
Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows remote attackers to discover cleartext credentials because they may appear in SNI data.
For Debian 9
Stretch, this problem has been fixed in version 2.8.9dev11-1+deb9u1.
We recommend that you upgrade your lynx packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS