Your message dated Sun, 08 Aug 2021 01:21:30 +0000 with message-id <e1mcxvk-000dft...@fasolo.debian.org> and subject line Bug#991971: fixed in lynx 2.9.0dev.6-3 has caused the Debian Bug report #991971, regarding lynx: [CVE-2021-38165] SSL certificate validation fails with URLs containing user name or user name and password, i.e. https://user:password@host/ and https://user@host/\; leaks password in clear text via SNI to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 991971: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991971 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: lynx Version: 2.9.0dev.8-1 Severity: important Tags: upstream, confirmed Control: forwarded -1 https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00000.html Control: found -1 2.8.9dev1-2+deb8u1 Control: found -1 2.8.9dev11-1 Control: found -1 2.8.9rel.1-3 Control: found -1 2.9.0dev.6-2 Thorsten Glaser reported the following on the upstream dev mailing list at https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00000.html (citing the parts that affect Debian, i.e. those when compiled against GnuTLS and not OpenSSL): > this affects both OpenSSL and Debian’s nonGNUtls builds: > > lynx https://user:pass@host/ > > … will lead to… […] > SSL error:host(user:pass@host)!=cert(CN<mainhost>)-Continue? (n) > > … for nonGNUtls lynx. > > Obviously, user:pass@ need to be stripped before comparing. The > nonGNUtls version could also be changed to display the > subjectAltName''s the certificate has like the OpenSSL one does (after > my patch from ages ago; […] https://user@host/ is affected as well. I was able to reproduce this issue in Lynx in all currently (in some way) supported releases of Debian back to Debian 8 Jessie with ELTS support and also in the most recent version in Debian Experimental. P.S. to Thorsten: Feel free to set yourself as submitter of this bug report. ☺ -- System Information: Debian Release: 11.0 APT prefers unstable APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'), (500, 'testing-security'), (500, 'buildd-unstable'), (110, 'experimental'), (1, 'experimental-debug'), (1, 'buildd-experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) LSM: AppArmor: enabled Versions of packages lynx depends on: ii libbsd0 0.11.3-1 ii libbz2-1.0 1.0.8-4 ii libc6 2.31-13 ii libgnutls30 3.7.1-5 ii libidn2-0 2.3.0-5 ii libncursesw6 6.2+20201114-2 ii libtinfo6 6.2+20201114-2 ii lynx-common 2.9.0dev.6-2 ii zlib1g 1:1.2.11.dfsg-2 Versions of packages lynx recommends: ii mime-support 3.66 lynx suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: lynx Source-Version: 2.9.0dev.6-3 Done: Axel Beckert <a...@debian.org> We believe that the bug you reported is fixed in the latest version of lynx, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 991...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Axel Beckert <a...@debian.org> (supplier of updated lynx package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 08 Aug 2021 02:27:54 +0200 Source: lynx Architecture: source Version: 2.9.0dev.6-3 Distribution: unstable Urgency: high Maintainer: Debian Lynx Packaging Team <pkg-lynx-ma...@lists.alioth.debian.org> Changed-By: Axel Beckert <a...@debian.org> Closes: 991971 Changes: lynx (2.9.0dev.6-3) unstable; urgency=high . * Apply fix from Lynx 2.9.0dev.9 for CVE-2021-38165 to fix leakage of username and password in the TLS 1.2 SNI Extension if username and password were given in the URL, i.e. as https://user:p...@example.org/ (Closes: #991971) Checksums-Sha1: 5f937346d99e0d01de955a829f751e4b6871175c 2528 lynx_2.9.0dev.6-3.dsc 6afae746bcf520c0804b2157225e4a249b3fddb4 30108 lynx_2.9.0dev.6-3.debian.tar.xz c218df88acf8db06ba8a5fcfe389b976229dd12b 7461 lynx_2.9.0dev.6-3_amd64.buildinfo Checksums-Sha256: 095581d1a918999debdd30b9f992e3a35c3f56ca38e1f73b897296024defa7c2 2528 lynx_2.9.0dev.6-3.dsc 45f6c27005c91b8cda7ac842718e94f91e94d634d8e900b725dbfa485fec64aa 30108 lynx_2.9.0dev.6-3.debian.tar.xz 767503cfcb00e5b44c860bd76d7404fdaf11cb217f41150627ccc143ef2a6871 7461 lynx_2.9.0dev.6-3_amd64.buildinfo Files: b10cfed6b228f4a3fef7ae3054cd6ab2 2528 web optional lynx_2.9.0dev.6-3.dsc c98f545749c1dde4de8c6563103029c8 30108 web optional lynx_2.9.0dev.6-3.debian.tar.xz 114a847958642854386d66b0808e5903 7461 web optional lynx_2.9.0dev.6-3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERoyJeTtCmBnp12Ema+Zjx1o1yXUFAmEPLNcACgkQa+Zjx1o1 yXXskg/8CepC8oblzdBpFpQq94gQ9dYhSs2uweGcR3h7dTl0jWnU6yJMviHdRDM5 craRLo6boB5YsySFROwy2DqVa4il3M6bjzLFvTTMAz3+f7o5r89HgQuweq1HM7DJ A1HPZFXXPRxbDK0fm/pzzzmOsjQ9XyCuBS/QgWiDLkZ0pcHB7cIET2snmkubd1gu hfOeAw9ZXBwsM1zP+4p5RmzV+j4sMKy6pnQ1Rf5NMSo5/6OtYwseRNxWz3i0LqyC VL0HCOaY7+LlZ3PgM1msHhjUG/utZhd/dqsDgEesEARpsR18ld+lm6nOlktSmMv4 MDrbZgBTkvbibhqIrWHfuwUYHmxFeDVeSy12BNMq06PaVRAx+fgblWKh4hf/1WNb QCFg43HAXm1NjfrWx0upo2HXLrSb6/H2NbIh5dLv8Rmd2d2UbpW+ewv9B2Oy3B7Q loG9ada5XxNIVUCa+/w3RIpy/0MWuxF2YVGqDJkEMdBM/g9jkINJyQ8tr9mWlOgG G4wvP1S/W5nimisf5hx59H6lGlCmIz2LRDebBSd9DD3rKG51cPN8NrqD1G8mBy6+ DDFEGyknpAtku2haxJ5kvhbsytu+xVBM488Wo5svrsDehzhRwZFX8FCf/HG12xDc hJlB75U7k9L1rYjKqDjGd13rLRMIX91wP0kGwXurDHDqHoo9YGg= =OCyx -----END PGP SIGNATURE-----
--- End Message ---
