On Sat, Aug 07, 2021 at 08:17:31PM +0200, Salvatore Bonaccorso wrote: > Hi Axel, ... > MITRE did assign CVE-2021-38165. MITRE raised the question: Does > 2.9.0dev.9 (mentioned on the > https://lynx.invisible-island.net/current/CHANGES.html page) fix the > entire problem? > https://www.openwall.com/lists/oss-security/2021/08/07/7 claims that > credentials appear in the HTTP Host header to an http:// (i.e., > non-SSL) website.
I considered that possibility, but (using Axel's hint on how he tested) found nothing in the data shown in "Follow TCP Stream" for this case. Perhaps you could explain how you've tested this case, and how to repeat the results. (the suggested patch by the way is unsuitable because it breaks the known-to-be-insecure use of user credentials in a non-HTTPS URL) -- Thomas E. Dickey <dic...@invisible-island.net> https://invisible-island.net ftp://ftp.invisible-island.net
signature.asc
Description: PGP signature