\; leaks password in clear text via SNI)

Debian Bug Tracking System Mon, 09 Aug 2021 14:21:19 -0700

Your message dated Mon, 09 Aug 2021 21:18:51 +0000
with message-id <e1mdcfb-0002x4...@fasolo.debian.org>
and subject line Bug#991971: fixed in lynx 2.9.0dev.6-3~deb11u1
has caused the Debian Bug report #991971,
regarding lynx: [CVE-2021-38165] SSL certificate validation fails with URLs 
containing user name or user name and password, i.e. 
https://user:password@host/ and https://user@host/\; leaks password in clear 
text via SNI
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
991971: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991971
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: lynx
Version: 2.9.0dev.8-1
Severity: important
Tags: upstream, confirmed
Control: forwarded -1 
https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00000.html
Control: found -1 2.8.9dev1-2+deb8u1
Control: found -1 2.8.9dev11-1
Control: found -1 2.8.9rel.1-3
Control: found -1 2.9.0dev.6-2

Thorsten Glaser reported the following on the upstream dev mailing list
at https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00000.html
(citing the parts that affect Debian, i.e. those when compiled against
GnuTLS and not OpenSSL):

> this affects both OpenSSL and Debian’s nonGNUtls builds:
> 
> lynx https://user:pass@host/
>
> … will lead to…
[…]
> SSL error:host(user:pass@host)!=cert(CN<mainhost>)-Continue? (n)
>
> … for nonGNUtls lynx.
> 
> Obviously, user:pass@ need to be stripped before comparing. The
> nonGNUtls version could also be changed to display the
> subjectAltName''s the certificate has like the OpenSSL one does (after
> my patch from ages ago; […]

https://user@host/ is affected as well.

I was able to reproduce this issue in Lynx in all currently (in some
way) supported releases of Debian back to Debian 8 Jessie with ELTS
support and also in the most recent version in Debian Experimental.

P.S. to Thorsten: Feel free to set yourself as submitter of this bug
report. ☺

-- System Information:
Debian Release: 11.0
  APT prefers unstable
  APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'), 
(500, 'testing-security'), (500, 'buildd-unstable'), (110, 'experimental'), (1, 
'experimental-debug'), (1, 'buildd-experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages lynx depends on:
ii  libbsd0       0.11.3-1
ii  libbz2-1.0    1.0.8-4
ii  libc6         2.31-13
ii  libgnutls30   3.7.1-5
ii  libidn2-0     2.3.0-5
ii  libncursesw6  6.2+20201114-2
ii  libtinfo6     6.2+20201114-2
ii  lynx-common   2.9.0dev.6-2
ii  zlib1g        1:1.2.11.dfsg-2

Versions of packages lynx recommends:
ii  mime-support  3.66

lynx suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: lynx
Source-Version: 2.9.0dev.6-3~deb11u1
Done: Andreas Metzler <ametz...@debian.org>

We believe that the bug you reported is fixed in the latest version of
lynx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 991...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Metzler <ametz...@debian.org> (supplier of updated lynx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 08 Aug 2021 13:36:32 +0200
Source: lynx
Architecture: source
Version: 2.9.0dev.6-3~deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Lynx Packaging Team <pkg-lynx-ma...@lists.alioth.debian.org>
Changed-By: Andreas Metzler <ametz...@debian.org>
Closes: 991971
Changes:
 lynx (2.9.0dev.6-3~deb11u1) bullseye-security; urgency=high
 .
   * Rebuild for bullseye-security.
 .
 lynx (2.9.0dev.6-3) unstable; urgency=high
 .
   * Apply fix from Lynx 2.9.0dev.9 for CVE-2021-38165 to fix leakage of
     username and password in the TLS 1.2 SNI Extension if username and
     password were given in the URL, i.e. as https://user:p...@example.org/
     (Closes: #991971)
Checksums-Sha1: 
 d5ba3abe6c59ef3dc85557c37de7798222642cc3 2560 lynx_2.9.0dev.6-3~deb11u1.dsc
 bc62d8915a0083c2fe4fa0dc5cf48fd9f83fd9b2 2730690 lynx_2.9.0dev.6.orig.tar.bz2
 0517d1a5630ed147597fd350c68c4689ec2c12d2 265 lynx_2.9.0dev.6.orig.tar.bz2.asc
 56d4346e26db3235a67ff934e1aab9c45a2929d8 30124 
lynx_2.9.0dev.6-3~deb11u1.debian.tar.xz
Checksums-Sha256: 
 fb8cf8cfe9dbe879c25002fc670c8ca355f3ec37a91a66b5455e78f7fe344390 2560 
lynx_2.9.0dev.6-3~deb11u1.dsc
 78f0be7f81f4b84d8d33b45a05145f015e35355109be350e461de5c03abf53b2 2730690 
lynx_2.9.0dev.6.orig.tar.bz2
 22e3b7394187aef75c7a783f4f789ef8d68b9266a15e747d92bd914563a93180 265 
lynx_2.9.0dev.6.orig.tar.bz2.asc
 1086daa008f96775df5964341c77b1069b5233eeefbb7b577e49f45763918610 30124 
lynx_2.9.0dev.6-3~deb11u1.debian.tar.xz
Files: 
 668fe9e0c5933c238db04d72a47d4cb2 2560 web optional 
lynx_2.9.0dev.6-3~deb11u1.dsc
 86fa225340422f40a9a1a5c4243d8c91 2730690 web optional 
lynx_2.9.0dev.6.orig.tar.bz2
 e56d1480fe48dbd3c39338038ba2430a 265 web optional 
lynx_2.9.0dev.6.orig.tar.bz2.asc
 1bc51a1c4dc71f1ba7fba593df2e0505 30124 web optional 
lynx_2.9.0dev.6-3~deb11u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAmEPxH0ACgkQpU8BhUOC
FIRM2w/+L0+Hz6dPyBsIVVL0PUnZoZUHCm05TUT1RB6NJsZ0mMOQbvEJwjzsnVbN
1wwZwUXJa5UgpCvhAfiXeGH2+zVn7S8UfVNQBTRzS8DiTdcrQMk4kjLsiJEac1TV
ih13c2XA9H7GYfXfYx6dqMBivERNH63O0XlwV0tESTyoy1++pPPhuETgFzs5KxUK
SXox1s9eVD0Ujj7dx4jaLtwlJfqqsYJuyGi+rkRR6UE5WR2S0jWtcEDWqCh0QdWP
lwPwC4pGxy6tzWkwbWaEetcI8qhzweQGkp1rUsfBoRczznrParlwWb7VwmCRxxF7
muiGG4OSZ2lWE1H1dV6yIKR314ds0xrYtPJ3LXNvXik4ZLp9zI3Ze+hZ6uc5RF2p
t7ax7Tn9dYy2JRRBYXZknKjMbwUpPo1fhRy/eIYz7zCo2CzpSmbhGWBIsYj8VZ8f
7Utg7YakxO2s0rsPcPy/W9f2ZfyrzMKB33MYDmE2lePhL0jYOzmpgbLJnDzKThHe
ai5mHthYycnVVPqiAA+XTh155im0DaHfeQcwXZ5BZ+37y0X0QwCMcjRdZ9evA6Tc
EcZV6Wbq63qULy1xaY2wB8uXJHXy2I6zU9IHpqIHID//IO2rDAFn7sMaAvmwN54/
/CvH4I1X4mIko34p6aFHu+yBMYzHHfsNfxRlaBdJdBTm7/LFDTg=
=ECuf
-----END PGP SIGNATURE-----

--- End Message ---

Bug#991971: marked as done (lynx: [CVE-2021-38165] SSL certificate validation fails with URLs containing user name or user name and password, i.e. https://user:password@host/ and https://user@host/\; leaks password in clear text via SNI)

Reply via email to