Message ID | 20210921093250.22812-1-peter@korsgaard.com |
---|---|
State | Accepted |
Headers | show |
Series | package/lynx: add security patch for CVE-2021-38165 | expand |
On 21/09/2021 11:32, Peter Korsgaard wrote: > Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which > allows remote attackers to discover cleartext credentials because they may > appear in SNI data. > > https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00002.html > > Upstream unfortunately does not provide a public VCS (only source > snapshots), so fetch the security patch from Debian. > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Applied to master, thanks. Regards, Arnout > --- > package/lynx/lynx.hash | 1 + > package/lynx/lynx.mk | 4 ++++ > 2 files changed, 5 insertions(+) > > diff --git a/package/lynx/lynx.hash b/package/lynx/lynx.hash > index 76d7614a7c..62e2555a99 100644 > --- a/package/lynx/lynx.hash > +++ b/package/lynx/lynx.hash > @@ -1,3 +1,4 @@ > # Locally calculated: > sha256 387f193d7792f9cfada14c60b0e5c0bff18f227d9257a39483e14fa1aaf79595 lynx2.8.9rel.1.tar.bz2 > +sha256 b2207e757dbbefc34a20a32b1b4a216b4a4316e1dc812bceca4ac6294871119a 90_CVE-2021-38165.patch > sha256 8406a30ff3134ec23cf752d1ceda92ddaabbe41b4f2dc07ea3cfa139de12d6d6 COPYING > diff --git a/package/lynx/lynx.mk b/package/lynx/lynx.mk > index d115682d64..44d52d90a5 100644 > --- a/package/lynx/lynx.mk > +++ b/package/lynx/lynx.mk > @@ -7,6 +7,10 @@ > LYNX_VERSION = 2.8.9rel.1 > LYNX_SOURCE = lynx$(LYNX_VERSION).tar.bz2 > LYNX_SITE = ftp://ftp.invisible-island.net/lynx/tarballs > +LYNX_PATCH = \ > + https://salsa.debian.org/lynx-team/lynx/-/raw/debian/2.9.0dev.6-3_deb11u1/debian/patches/90_CVE-2021-38165.patch > +# 90_CVE-2021-38165.patch > +LYNX_IGNORE_CVES += CVE-2021-38165 > LYNX_LICENSE = GPL-2.0 > LYNX_LICENSE_FILES = COPYING > >
diff --git a/package/lynx/lynx.hash b/package/lynx/lynx.hash index 76d7614a7c..62e2555a99 100644 --- a/package/lynx/lynx.hash +++ b/package/lynx/lynx.hash @@ -1,3 +1,4 @@ # Locally calculated: sha256 387f193d7792f9cfada14c60b0e5c0bff18f227d9257a39483e14fa1aaf79595 lynx2.8.9rel.1.tar.bz2 +sha256 b2207e757dbbefc34a20a32b1b4a216b4a4316e1dc812bceca4ac6294871119a 90_CVE-2021-38165.patch sha256 8406a30ff3134ec23cf752d1ceda92ddaabbe41b4f2dc07ea3cfa139de12d6d6 COPYING diff --git a/package/lynx/lynx.mk b/package/lynx/lynx.mk index d115682d64..44d52d90a5 100644 --- a/package/lynx/lynx.mk +++ b/package/lynx/lynx.mk @@ -7,6 +7,10 @@ LYNX_VERSION = 2.8.9rel.1 LYNX_SOURCE = lynx$(LYNX_VERSION).tar.bz2 LYNX_SITE = ftp://ftp.invisible-island.net/lynx/tarballs +LYNX_PATCH = \ + https://salsa.debian.org/lynx-team/lynx/-/raw/debian/2.9.0dev.6-3_deb11u1/debian/patches/90_CVE-2021-38165.patch +# 90_CVE-2021-38165.patch +LYNX_IGNORE_CVES += CVE-2021-38165 LYNX_LICENSE = GPL-2.0 LYNX_LICENSE_FILES = COPYING
Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows remote attackers to discover cleartext credentials because they may appear in SNI data. https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00002.html Upstream unfortunately does not provide a public VCS (only source snapshots), so fetch the security patch from Debian. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/lynx/lynx.hash | 1 + package/lynx/lynx.mk | 4 ++++ 2 files changed, 5 insertions(+)