Package: lynx Version: 2.9.0dev.8-1 Severity: important Tags: upstream, confirmed Control: forwarded -1 https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00000.html Control: found -1 2.8.9dev1-2+deb8u1 Control: found -1 2.8.9dev11-1 Control: found -1 2.8.9rel.1-3 Control: found -1 2.9.0dev.6-2
Thorsten Glaser reported the following on the upstream dev mailing list at https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00000.html (citing the parts that affect Debian, i.e. those when compiled against GnuTLS and not OpenSSL): > this affects both OpenSSL and Debian’s nonGNUtls builds: > > lynx https://user:pass@host/ > > … will lead to… […] > SSL error:host(user:pass@host)!=cert(CN<mainhost>)-Continue? (n) > > … for nonGNUtls lynx. > > Obviously, user:pass@ need to be stripped before comparing. The > nonGNUtls version could also be changed to display the > subjectAltName''s the certificate has like the OpenSSL one does (after > my patch from ages ago; […] https://user@host/ is affected as well. I was able to reproduce this issue in Lynx in all currently (in some way) supported releases of Debian back to Debian 8 Jessie with ELTS support and also in the most recent version in Debian Experimental. P.S. to Thorsten: Feel free to set yourself as submitter of this bug report. ☺ -- System Information: Debian Release: 11.0 APT prefers unstable APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'), (500, 'testing-security'), (500, 'buildd-unstable'), (110, 'experimental'), (1, 'experimental-debug'), (1, 'buildd-experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) LSM: AppArmor: enabled Versions of packages lynx depends on: ii libbsd0 0.11.3-1 ii libbz2-1.0 1.0.8-4 ii libc6 2.31-13 ii libgnutls30 3.7.1-5 ii libidn2-0 2.3.0-5 ii libncursesw6 6.2+20201114-2 ii libtinfo6 6.2+20201114-2 ii lynx-common 2.9.0dev.6-2 ii zlib1g 1:1.2.11.dfsg-2 Versions of packages lynx recommends: ii mime-support 3.66 lynx suggests no packages. -- no debconf information