[SECURITY] [DLA 2736-1] lynx security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2736-1] lynx security update
From: "Chris Lamb" <lamby@debian.org>
Date: Mon, 9 Aug 2021 11:34:29 -0400 (EDT)
Message-id: <[🔎] 162852321614.23633.9956626605691054863@copycat>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2736-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
August 09, 2021                               https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : lynx
Version        : 2.8.9dev11-1+deb9u1
CVE ID         : CVE-2021-38165
Debian Bug     : #991971

It was discovered that there was a remote authentication credential
leak in the "lynx" text-based web browser.

The package now correctly handles authentication subcomponents in
URIs (eg. https://user:pass@example.com) to avoid remote attackers
discovering cleartext credentials in SSL connection data.

For Debian 9 "Stretch", this problem has been fixed in version
2.8.9dev11-1+deb9u1.

We recommend that you upgrade your lynx packages.

For the detailed security status of lynx please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/lynx

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmERSs4ACgkQHpU+J9Qx
HlgucA//c7ki+LbLuP7LPja0/T1XRQjxPvAVvnHixMw+OY/r+FhuP3EsnGyooAVJ
FDKQ8K3lynoOl15bedITEXfYZp3sg4l4mfOP3kF1OYaIow+ONuLjc2IhWNqUf6aD
INZBav/Qlqkr5YA3Gn9xtoQyW12F4DkwsdnsoeT9d+O1XzOphMQi+3q5KurHTak8
7PRhbK5WchNfgTpiXA3u1cBUEJqdLh97kcDTTV6F+YNBJszYZSMqINXS9exdj1ud
51eRVHFsF4G8JDwZSf5+GQH6IGrc8usUPuH/YsDoaEhs8V5QSPP6R7TmPhHSSrOD
p0VXWaVCYzw1PKHjgJhe2n04/T7Vywt/vt4JebJJ0P/o4BpZVbfb8QNeXtqbIaQ9
X/U9SrCd0N29reOk8b9G+VeEZhwe0zCBwTiZUFoTIV6LMXwLHPVYcY/1FXTnt5hu
QX0MNm9k20heJ4YVFJmNi12mG5NE5vKEGOgplN3biiQEsofkIu4Hx5oXraGILN2e
Nv1YLSKe1H12xzlJFExcGDbre1J4pssQjvyKPYVG8L9uYWX86vbTryVReeGMxq4j
ROEjImDJBH1KtEoK9Bp36VjhD/AStzSii4kQ52LJ+CGrytO/Ft+rhxX3pzRyvpEY
EfNSNzWKbWi4tNbkps6FawMUlVHXfQAxTURY3yJYozDVb/AXz8s=
=ig9O
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2733-1] tomcat8 security update
Next by Date: [SECURITY] [DLA 2737-1] openjdk-8 security update
Previous by thread: [SECURITY] [DLA 2733-1] tomcat8 security update
Next by thread: [SECURITY] [DLA 2737-1] openjdk-8 security update
Index(es):
- Date
- Thread