Debian Bug report logs -
#692443
lynx-cur: CVE-2012-5821
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Tue, 6 Nov 2012 11:03:01 UTC
Severity: important
Tags: fixed-upstream, security
Found in versions lynx-cur/2.8.7dev9-2.1, lynx-cur/2.8.7dev9-2
Fixed in version lynx-cur/2.8.8dev.15-1
Done: Atsuhito KOHDA <kohda@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Atsuhito KOHDA <kohda@debian.org>:
Bug#692443; Package lynx-cur.
(Tue, 06 Nov 2012 11:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Atsuhito KOHDA <kohda@debian.org>.
(Tue, 06 Nov 2012 11:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: lynx-cur
Version: 2.8.7dev9-2.1
Severity: important
Tags: security
Hi,
please see Section 7.4 of this paper:
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
This has been assigned CVE-2012-5821.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Atsuhito KOHDA <kohda@debian.org>:
Bug#692443; Package lynx-cur.
(Tue, 06 Nov 2012 11:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to dickey@his.com:
Extra info received and forwarded to list. Copy sent to Atsuhito KOHDA <kohda@debian.org>.
(Tue, 06 Nov 2012 11:51:03 GMT) (full text, mbox, link).
Message #10 received at 692443@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tue, Nov 06, 2012 at 11:57:59AM +0100, Moritz Muehlenhoff wrote:
> Package: lynx-cur
> Version: 2.8.7dev9-2.1
The package list for lynx-cur doesn't list that version.
It shows 2.8.8dev.5-1 as the lowest version.
> Severity: important
> Tags: security
>
> Hi,
> please see Section 7.4 of this paper:
> http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
>
> This has been assigned CVE-2012-5821.
The fix can be easily abstracted from the changes in dev.13
--
Thomas E. Dickey <dickey@invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net
[signature.asc (application/pgp-signature, inline)]
Message sent on
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug#692443.
(Tue, 06 Nov 2012 11:51:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Atsuhito KOHDA <kohda@debian.org>:
Bug#692443; Package lynx-cur.
(Tue, 06 Nov 2012 11:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to dickey@his.com:
Extra info received and forwarded to list. Copy sent to Atsuhito KOHDA <kohda@debian.org>.
(Tue, 06 Nov 2012 11:57:06 GMT) (full text, mbox, link).
Message #18 received at 692443@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tue, Nov 06, 2012 at 06:46:50AM -0500, Thomas Dickey wrote:
> The fix can be easily abstracted from the changes in dev.13
(it is the small change made to WWW/Library/Implementation/HTTP.c, of course).
--
Thomas E. Dickey <dickey@invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net
[signature.asc (application/pgp-signature, inline)]
Message sent on
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug#692443.
(Tue, 06 Nov 2012 11:57:10 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Atsuhito KOHDA <kohda@debian.org>:
Bug#692443; Package lynx-cur.
(Sat, 10 Nov 2012 14:36:02 GMT) (full text, mbox, link).
Acknowledgement sent
to dickey@his.com:
Extra info received and forwarded to list. Copy sent to Atsuhito KOHDA <kohda@debian.org>.
(Sat, 10 Nov 2012 14:36:02 GMT) (full text, mbox, link).
Message #26 received at 692443@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tue, Nov 06, 2012 at 06:52:23AM -0500, Thomas Dickey wrote:
> On Tue, Nov 06, 2012 at 06:46:50AM -0500, Thomas Dickey wrote:
> > The fix can be easily abstracted from the changes in dev.13
>
> (it is the small change made to WWW/Library/Implementation/HTTP.c, of course).
There was a followup fix from Jamie Strandboge, which is here:
ftp://invisible-island.net/temp/lynx2.8.8dev.14a.patch.gz
I have (a small number of) additional fixes which I'm preparing for dev.15
--
Thomas E. Dickey <dickey@invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net
[signature.asc (application/pgp-signature, inline)]
Information stored
:
Bug#692443; Package lynx-cur.
(Sat, 10 Nov 2012 14:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to dickey@his.com:
Extra info received and filed, but not forwarded.
(Sat, 10 Nov 2012 14:36:04 GMT) (full text, mbox, link).
Message sent on
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug#692443.
(Sat, 10 Nov 2012 14:36:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Atsuhito KOHDA <kohda@debian.org>:
Bug#692443; Package lynx-cur.
(Mon, 19 Nov 2012 11:57:06 GMT) (full text, mbox, link).
Acknowledgement sent
to dickey@his.com:
Extra info received and forwarded to list. Copy sent to Atsuhito KOHDA <kohda@debian.org>.
(Mon, 19 Nov 2012 11:57:06 GMT) (full text, mbox, link).
Message #39 received at 692443@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sat, Nov 10, 2012 at 09:33:36AM -0500, Thomas Dickey wrote:
> On Tue, Nov 06, 2012 at 06:52:23AM -0500, Thomas Dickey wrote:
> > On Tue, Nov 06, 2012 at 06:46:50AM -0500, Thomas Dickey wrote:
> > > The fix can be easily abstracted from the changes in dev.13
> >
> > (it is the small change made to WWW/Library/Implementation/HTTP.c, of course).
>
> There was a followup fix from Jamie Strandboge, which is here:
>
> ftp://invisible-island.net/temp/lynx2.8.8dev.14a.patch.gz
>
> I have (a small number of) additional fixes which I'm preparing for dev.15
2.8.8dev.15 was released yesterday.
--
Thomas E. Dickey <dickey@invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net
[signature.asc (application/pgp-signature, inline)]
Added tag(s) fixed-upstream.
Request was from Thomas Dickey <dickey@his.com>
to control@bugs.debian.org.
(Mon, 19 Nov 2012 11:57:08 GMT) (full text, mbox, link).
Message sent on
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug#692443.
(Mon, 19 Nov 2012 11:57:16 GMT) (full text, mbox, link).
Reply sent
to Atsuhito KOHDA <kohda@debian.org>:
You have taken responsibility.
(Thu, 22 Nov 2012 01:06:08 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Thu, 22 Nov 2012 01:06:08 GMT) (full text, mbox, link).
Message #49 received at 692443-close@bugs.debian.org (full text, mbox, reply):
Source: lynx-cur
Source-Version: 2.8.8dev.15-1
We believe that the bug you reported is fixed in the latest version of
lynx-cur, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 692443@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Atsuhito KOHDA <kohda@debian.org> (supplier of updated lynx-cur package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 21 Nov 2012 21:54:10 +0900
Source: lynx-cur
Binary: lynx-cur lynx-cur-wrapper lynx
Architecture: source all i386
Version: 2.8.8dev.15-1
Distribution: unstable
Urgency: low
Maintainer: Atsuhito KOHDA <kohda@debian.org>
Changed-By: Atsuhito KOHDA <kohda@debian.org>
Description:
lynx - Text-mode WWW Browser (transitional package)
lynx-cur - Text-mode WWW Browser with NLS support (development version)
lynx-cur-wrapper - Wrapper for lynx-cur (transitional package)
Closes: 673385 691904 692443
Changes:
lynx-cur (2.8.8dev.15-1) unstable; urgency=low
.
* New Upstream Release.
- Fixed a security bug, CVE-2012-5821: improve checking of certificates
in the gnutls_certificate_verify_peers2() by handling special case where
self-signed certificates should be reported (patch by Jamie Strandboge).
(Closes: #692443)
- revise nsl-fork logic for passing addrinfo and hostent data back
to eliminate fixed limit on the number of records to return
(Closes: #691904)
- corrected position of highlighting from search/whereis function when using
multibyte characters. (Closes: #673385)
* Updated patches files in debian/patches.
Checksums-Sha1:
a9d236452520009fe04f4bd3de1c5664160f085a 1290 lynx-cur_2.8.8dev.15-1.dsc
793359444c6e378c1c1fce561ed47ff5c57d962f 3531640 lynx-cur_2.8.8dev.15.orig.tar.gz
801c6d85041afa7ed50fce2a2a79d237ecfe7edf 32111 lynx-cur_2.8.8dev.15-1.diff.gz
1f5586dad1de13c49b384ae8a8e46eb1fcde9e04 224728 lynx-cur-wrapper_2.8.8dev.15-1_all.deb
574102e1b23df963e537f0e9beca2ebc15cdee28 225092 lynx_2.8.8dev.15-1_all.deb
e0fce61250296946dfa4eb414234da4cc66a9215 2219460 lynx-cur_2.8.8dev.15-1_i386.deb
Checksums-Sha256:
312ebe1255687ff1e299583c8fe69aa4d951073a6983a505ebdded0d17dfad9a 1290 lynx-cur_2.8.8dev.15-1.dsc
94726a70271f3df4c14d74ac7ea456507d0c6c1ec58b7b8006896d97e6605326 3531640 lynx-cur_2.8.8dev.15.orig.tar.gz
0c2a846db38e200a7e0bd74d473f7610d8bf27bddb1c5d2b8c59376e09fe55ec 32111 lynx-cur_2.8.8dev.15-1.diff.gz
804fad722f5ea9f43f37f7c824928b53bbb8eef8c40ebd6d659a573852618b43 224728 lynx-cur-wrapper_2.8.8dev.15-1_all.deb
9611efa7649a465fcb75d735ec00154ea56e3501186f36303f85e86bd2618d3f 225092 lynx_2.8.8dev.15-1_all.deb
9ca8203fbe1b50ff509e9509fab53ed2672d8f077ddc5d8444120333c7b2ddea 2219460 lynx-cur_2.8.8dev.15-1_i386.deb
Files:
890e17be437393cf6fec4baf1a5818ef 1290 web extra lynx-cur_2.8.8dev.15-1.dsc
b5c12abd27a4bc1d76a7e0e52b2f3a46 3531640 web extra lynx-cur_2.8.8dev.15.orig.tar.gz
60a21069888360eb814efcb771673b26 32111 web extra lynx-cur_2.8.8dev.15-1.diff.gz
2bb7d40584e488615a802480b313c514 224728 oldlibs extra lynx-cur-wrapper_2.8.8dev.15-1_all.deb
b17e63ebd719fdc330fcf5857bdcfbe0 225092 oldlibs extra lynx_2.8.8dev.15-1_all.deb
36f1400e22a4b31a14b34350d38b0e6a 2219460 web extra lynx-cur_2.8.8dev.15-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlCtdlgACgkQ1IXdL1v6kOyToACfSPgQj2vXYO69hhc837qjjn3Q
UqEAn3gqB2pOW+XzXMRtu4IpL4QrjNJi
=mDcT
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 20 Dec 2012 07:28:00 GMT) (full text, mbox, link).
Bug unarchived.
Request was from jmw@debian.org
to control@bugs.debian.org.
(Thu, 17 Jan 2013 12:36:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Atsuhito KOHDA <kohda@debian.org>:
Bug#692443; Package lynx-cur.
(Fri, 18 Jan 2013 13:36:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Atsuhito KOHDA <kohda@debian.org>.
(Fri, 18 Jan 2013 13:36:08 GMT) (full text, mbox, link).
Message #58 received at 692443@bugs.debian.org (full text, mbox, reply):
Package: lynx-cur
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.7) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/692443/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 16 Feb 2013 07:27:09 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 14 Dec 2014 20:09:08 GMT) (full text, mbox, link).
Marked as found in versions lynx-cur/2.8.7dev9-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 14 Dec 2014 20:09:09 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 12 Jan 2015 07:27:54 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:28:02 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon