Debian Bug report logs -
#843258
lynx: CVE-2016-9179: invalid URL parsing with '?'
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Lynx Packaging Team <pkg-lynx-maint@lists.alioth.debian.org>:
Bug#843258; Package src:lynx.
(Sat, 05 Nov 2016 15:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Lynx Packaging Team <pkg-lynx-maint@lists.alioth.debian.org>.
(Sat, 05 Nov 2016 15:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: lynx
Version: 2.8.9dev9-1
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for lynx. TTBOMK there is no
upstream patch yet, but has been promised to look into it.
CVE-2016-9179[0]:
invalid URL parsing with '?'
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-9179
[1] http://www.openwall.com/lists/oss-security/2016/11/03/4
[2] http://www.openwall.com/lists/oss-security/2016/11/04/8
Regards,
Salvatore
Changed Bug title to 'lynx: CVE-2016-9179: invalid URL parsing with '?'' from 'ynx: CVE-2016-9179'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 05 Nov 2016 15:33:04 GMT) (full text, mbox, link).
Added tag(s) confirmed.
Request was from Axel Beckert <abe@debian.org>
to control@bugs.debian.org.
(Mon, 14 Nov 2016 13:21:06 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream and pending.
Request was from Axel Beckert <abe@debian.org>
to control@bugs.debian.org.
(Tue, 15 Nov 2016 23:30:03 GMT) (full text, mbox, link).
Reply sent
to Axel Beckert <abe@debian.org>:
You have taken responsibility.
(Thu, 17 Nov 2016 01:36:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 17 Nov 2016 01:36:05 GMT) (full text, mbox, link).
Message #18 received at 843258-close@bugs.debian.org (full text, mbox, reply):
Source: lynx
Source-Version: 2.8.9dev11-1
We believe that the bug you reported is fixed in the latest version of
lynx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 843258@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Axel Beckert <abe@debian.org> (supplier of updated lynx package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 17 Nov 2016 01:43:23 +0100
Source: lynx
Binary: lynx-common lynx lynx-cur
Architecture: source all amd64
Version: 2.8.9dev11-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Lynx Packaging Team <pkg-lynx-maint@lists.alioth.debian.org>
Changed-By: Axel Beckert <abe@debian.org>
Description:
lynx - classic non-graphical (text-mode) web browser
lynx-common - shared files for lynx package
lynx-cur - Text-mode WWW Browser (transitional package)
Closes: 843258
Changes:
lynx (2.8.9dev11-1) unstable; urgency=medium
.
* Import new upstream version 2.8.9dev11
+ Fixes CVE-2016-9179. (Closes: #843258)
* Clarify item about CVE-2016-9179 in previous changelog entry.
* Simplify debian/watch to only match so far used combinations and to
only look for a single compression type (bzip2).
* Use passive FTP in debian/watch.
Checksums-Sha1:
7b528f7b47f47d3d55f977ae4b02e7919e25e3e3 2328 lynx_2.8.9dev11-1.dsc
021f65355146333d42590ae220a21927ca239f0d 2665470 lynx_2.8.9dev11.orig.tar.bz2
748027712dce8ef6c4532131a0877bb2491ab73a 27440 lynx_2.8.9dev11-1.debian.tar.xz
a298cee583e1e99c98c9f9e349ca72b1d48bbd7c 1097740 lynx-common_2.8.9dev11-1_all.deb
d19529d50d657178e233bb86907216e0dbeff398 239626 lynx-cur_2.8.9dev11-1_all.deb
7c7e370b46723f5d7c1b1c03b899267a831e532c 1550462 lynx-dbgsym_2.8.9dev11-1_amd64.deb
6db4d6db70013a09c57d23b647cbaf3cb278de66 6191 lynx_2.8.9dev11-1_amd64.buildinfo
2c9449adfe341ffb038a6a29799ffe9558d7823d 631812 lynx_2.8.9dev11-1_amd64.deb
Checksums-Sha256:
04830e05331f9ccde2d0d3384aaa8875c041f7c2537358e2426bc0beaa11303f 2328 lynx_2.8.9dev11-1.dsc
2a1092f2cde76f109e4f1df1760c1d2a8792ba7018ab7ff3cc2b01d14e0c15b3 2665470 lynx_2.8.9dev11.orig.tar.bz2
d06d8da2971fc4dd649e2f37342a75dd4d7bdd156fcd4b6e3c99ebd96c9f6f53 27440 lynx_2.8.9dev11-1.debian.tar.xz
0414fa3875bd26a399d8cbf1cd3e9b740847e9c8f1cff2aa1229d498784e2f86 1097740 lynx-common_2.8.9dev11-1_all.deb
5f4e97de7f2169031f2d03d6b8126dd367412913d66ba10d6b3f0c3ced2c7a8c 239626 lynx-cur_2.8.9dev11-1_all.deb
fe52c1ae6dc6f7e31e8f5e75691cd1a5afa63326b0935cc31df8cba7429c1efb 1550462 lynx-dbgsym_2.8.9dev11-1_amd64.deb
27b7c51c4d807829e5d0bd445c2d3d011f9d26be9f3bbec15fadcb231db5ac34 6191 lynx_2.8.9dev11-1_amd64.buildinfo
41e9df79311027e207830ecb864799f255f30c260960e1458cb43dec6854fa17 631812 lynx_2.8.9dev11-1_amd64.deb
Files:
1a6ab813b0c02a59f7611fb1190cfa64 2328 web optional lynx_2.8.9dev11-1.dsc
cb40c1d3421a38f2fa4ab8665b892e3a 2665470 web optional lynx_2.8.9dev11.orig.tar.bz2
d2bfb8513a64cb2a491c8f88dee43887 27440 web optional lynx_2.8.9dev11-1.debian.tar.xz
a7676642560f6a2b1f7b4006d8e2b799 1097740 web optional lynx-common_2.8.9dev11-1_all.deb
0cbdf298fee394f56eb7a0a6eaaaaa60 239626 oldlibs extra lynx-cur_2.8.9dev11-1_all.deb
c67cd8588705fa8ba4a9df80fab4c7e9 1550462 debug extra lynx-dbgsym_2.8.9dev11-1_amd64.deb
20a231cdf37bad0bac8295967f48798f 6191 web optional lynx_2.8.9dev11-1_amd64.buildinfo
2230a3c83684c677702620777e00bac5 631812 web optional lynx_2.8.9dev11-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEERoyJeTtCmBnp12Ema+Zjx1o1yXUFAlgtATwACgkQa+Zjx1o1
yXXGvRAAxkIBhriloz8FKqNf90wZxnIiQNKKa3LSEXygmz8JG3v9lTtRgigI6lEf
hyUd7cXUqoZHbBZ7Nkd/TQbnj7HT3hRFpHnYH5OM9anocZxNZ0bhfUQIWlPm6Lba
W/6fjo+0zgZjR8psLqspejwDNs301lHE7icyoAOUjL8+HfPBahrhlk2etHX9yDiN
d3ylA4UruwJKCtMLI5qZI9xXOOxx+FMl5Gd9qUlB+sA1TLrNQrqdRTtiIKLITLkm
p4DUOpiAj1+K2UBKBk2eefsqZNyMPowVWXaGBTZXnysHoOZp8HAWIYfCbwyun3Pa
3JeMN2sGw1FV+f5rvh47FwINMGzHZ7T0waL74oCz1HUGUS9pCKNV1Nqv5UKK1QSW
bCRf9qSoe6Hvctkxh6i8mrMGOirCcLOiozyoIdy3+2sIpuDTGMVzbkQlz59ROYCP
UwOoX0j/eRn78jUR0hlZ2AL8NT6SHMQOmCEncmqphH1xqvVbUfRRpg76Ayyya7HZ
X1sZUcpO45Y2e7QIlHRyanYE8/MxaVGgLkBpGO5/WijKX6oi/D747U0MVynRx7ef
jy92+dYzJBXJ+I1eZPvODVnycAAj4zNaLKXYEDDMvGVrvNR6B6EiHspxyugKEjdv
BjRSy+iGJh/I7fBylI4eIbm5oFVEMAqfyVmZgneFYfJnJ+dZi0Y=
=Ulp5
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 29 Dec 2016 08:53:51 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:08:21 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon