Am Sun, Aug 08, 2021 at 01:54:56AM +0200 schrieb Axel Beckert: > Hi Andreas, > > Andreas Metzler wrote: > > > > tags 991971 fixed-upstream > > > Bug #991971 [lynx] lynx: SSL certificate validation fails with URLs > > > containing user name or user name and password, i.e. > > > https://user:password@host/ and https://user@host/; leaks password in > > > clear text via SNI > > > Added tag(s) fixed-upstream. > > > > Hello, > > > > I have just uploaded .9 to experimental. > > Thanks a lot! Went to bed in the morning last night, so I was really > happy to see at least Experimental already being fixed when I woke up > again. > > > The deadline for bulleye unblock requests has passed, so we will > > need to fix this by security/point release. > > Hrm, right, thanks for the reminder. > > I nevertheless will update Unstable with a fix. It might be helpful > for the Security Team (Cc'ed) or us to prepare a stable-update for > Bullseye. > > Security Team: Do you think the fix for CVE-2021-38165 should get a > DSA? Or do you think it's not important enough and we should target a > minor stable update for it?
This breaks a pretty fundamental security assumption for a browser, so we should fix it via -security, even though lynx is a fringe browser. bullseye-security is operational, so we can do both at the same time so that bullseye will be fixed from day one. Cheers, Moritz