Bug#991971: marked as done (lynx: SSL certificate validation fails with URLs containing user name or user name and password, i.e. https://user:password@host/ and https://user@host/; leaks password in clear text via SNI)

Sat, 07 Aug 2021 09:06:15 -0700 

Your message dated Sat, 07 Aug 2021 16:03:35 +0000
with message-id <[email protected]>
and subject line Bug#991971: fixed in lynx 2.9.0dev.9-1
has caused the Debian Bug report #991971,
regarding lynx: SSL certificate validation fails with URLs containing user name 
or user name and password, i.e. https://user:password@host/ and 
https://user@host/; leaks password in clear text via SNI
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
991971: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991971
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: lynx
Version: 2.9.0dev.8-1
Severity: important
Tags: upstream, confirmed
Control: forwarded -1 
https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00000.html
Control: found -1 2.8.9dev1-2+deb8u1
Control: found -1 2.8.9dev11-1
Control: found -1 2.8.9rel.1-3
Control: found -1 2.9.0dev.6-2

Thorsten Glaser reported the following on the upstream dev mailing list
at https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00000.html
(citing the parts that affect Debian, i.e. those when compiled against
GnuTLS and not OpenSSL):

> this affects both OpenSSL and Debian’s nonGNUtls builds:
> 
> lynx https://user:pass@host/
>
> … will lead to…
[…]
> SSL error:host(user:pass@host)!=cert(CN<mainhost>)-Continue? (n)
>
> … for nonGNUtls lynx.
> 
> Obviously, user:pass@ need to be stripped before comparing. The
> nonGNUtls version could also be changed to display the
> subjectAltName''s the certificate has like the OpenSSL one does (after
> my patch from ages ago; […]

https://user@host/ is affected as well.

I was able to reproduce this issue in Lynx in all currently (in some
way) supported releases of Debian back to Debian 8 Jessie with ELTS
support and also in the most recent version in Debian Experimental.

P.S. to Thorsten: Feel free to set yourself as submitter of this bug
report. ☺

-- System Information:
Debian Release: 11.0
  APT prefers unstable
  APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'), 
(500, 'testing-security'), (500, 'buildd-unstable'), (110, 'experimental'), (1, 
'experimental-debug'), (1, 'buildd-experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages lynx depends on:
ii  libbsd0       0.11.3-1
ii  libbz2-1.0    1.0.8-4
ii  libc6         2.31-13
ii  libgnutls30   3.7.1-5
ii  libidn2-0     2.3.0-5
ii  libncursesw6  6.2+20201114-2
ii  libtinfo6     6.2+20201114-2
ii  lynx-common   2.9.0dev.6-2
ii  zlib1g        1:1.2.11.dfsg-2

Versions of packages lynx recommends:
ii  mime-support  3.66

lynx suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: lynx
Source-Version: 2.9.0dev.9-1
Done: Andreas Metzler <[email protected]>

We believe that the bug you reported is fixed in the latest version of
lynx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Metzler <[email protected]> (supplier of updated lynx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 07 Aug 2021 17:45:43 +0200
Source: lynx
Architecture: source
Version: 2.9.0dev.9-1
Distribution: experimental
Urgency: high
Maintainer: Debian Lynx Packaging Team <[email protected]>
Changed-By: Andreas Metzler <[email protected]>
Closes: 991971
Changes:
 lynx (2.9.0dev.9-1) experimental; urgency=high
 .
   * New upstream version.
     + Strip user/password from ssl_host in HTLoadHTTP, incorrectly passed
       as part of the server name indicator (Debian #991971) -TDDoes not
       pass user/passwd. Closes: #991971
   * Add b-d on pkg-config.
Checksums-Sha1: 
 936c46ae16375956d85fcc63d01e68e0cac376f7 2539 lynx_2.9.0dev.9-1.dsc
 c87542a4b9f7d81f11f005a3a34c646061c13dc6 2746988 lynx_2.9.0dev.9.orig.tar.bz2
 2cbf25603ec60b350e38c4beebcf87bb13aa855e 729 lynx_2.9.0dev.9.orig.tar.bz2.asc
 e55d151e6acd62344e945ed8bf4df255ef5881b0 32572 lynx_2.9.0dev.9-1.debian.tar.xz
Checksums-Sha256: 
 de26f6e49a33ca7d4f2711c6d1f5661d611212308013a2c3cb810e469b06ba18 2539 
lynx_2.9.0dev.9-1.dsc
 6fd6dd3f57681ad58d3397c273b430a411ae049b367fd4909b3d70b722da501a 2746988 
lynx_2.9.0dev.9.orig.tar.bz2
 561a23b38d7a4bb9f6f07d059cac3e49b5e282921fbd7c6185987d210054d917 729 
lynx_2.9.0dev.9.orig.tar.bz2.asc
 36d8eb27dee8c6c3ffa2e37c06220f32983f144207dfa802c3ee627420c01b13 32572 
lynx_2.9.0dev.9-1.debian.tar.xz
Files: 
 41dbb1222cc364cf37a808a143dfacea 2539 web optional lynx_2.9.0dev.9-1.dsc
 6599a118a5f993bd7a27f62c7b660c33 2746988 web optional 
lynx_2.9.0dev.9.orig.tar.bz2
 69cff165cc2878d2f0b957aa58cd39fb 729 web optional 
lynx_2.9.0dev.9.orig.tar.bz2.asc
 9f088216ed650873a362f848b95319a7 32572 web optional 
lynx_2.9.0dev.9-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAmEOrB4ACgkQpU8BhUOC
FISCIA/6AnR+wqQzrjBopMEmBnFB7Ygxt1JZzFMyOFrNG+4xH+HPUsyvLs0XDM60
35XsgA6RQFvgcPr5OBirtkwFvHCq90rQInoZGriT/pS0XXiKWh1js9Gbx0C+Pp5W
7W/YBcUmJ5Y1kCArIFtnLNXmHspCwrqohqosOZNrMY08BRCopAVFbfbD24wFzpnl
DOfuVS/vQr5d1JaxVNfA3nlYEVouTEsJSa1mfYYKH9R97slOSEUJPusJsXDpGPF3
e0OvghEVC7oNdAsPvdTeiCEL+x3VcSIIeT13r1FTNIb09wMG8EoIlk8dtKyMnkMB
krLDQufca/JJ3F235558kz5NGBMoXnQhlrb4HXQeespm0t1zmxZYbmjkpS5O5WEw
gO0wfIAGkhQCvwf14H7mShU6OOhwMUblDE/UQAAP3B3ZlDv+C/1PGasul1586+Bd
vCdoCgzNMNddAwW/59pgmOtmfucYJAOBDoY6jSyn+8yvMBitXMeOlHY2KWNcJ6t9
XcsLaeII4yrAVMd5Tpc78hVhG9v93l29jcX6dsbGTFXD128FlIbRHUuTZs/6YKp+
W9XWcKmEC5yFdNvcmz9LPe0t3kh0t8L2X9aYT3by8k7kw6S3iwftliy7Xbm0y/ks
rWlmYsyKZuAFeVXLqVL6+z+S1STFnIAHBxYXAm6UwfD/QxMiHqs=
=Ods1
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to