Hi Brian, On Mon, Nov 14, 2016 at 06:09:56PM +1100, Brian May wrote: > Hello, > > Just wondered why you marked CVE-2016-9179 as Slight mitigation in > 2.8.9dev.10? Is there any documentation that says talks about the > changes in 2.8.9dev.10?
The update in 2.8.9dev.10 does not really fix the issue (thus the bug was as well not closed by the maintainer I think), because it only "improves" the message. I do not have an isolated change at hand, but https://anonscm.debian.org/cgit/pkg-lynx/lynx.git/commit/?id=cac725f0f5c4bb35091a06e90c876195e907ea9e documents the 2.8.9dev.10 import: +* improve warning message when stripping user/password from URL; report on + http://seclists.org/oss-sec/2016/q4/322 treated as a Lynx parsing error the + punctuation such as "?" which is permitted by RFC-1738 in a user or password + field. RFC-3986 subsequently modified this. The improved message points out + the possible confusion by users when these fields contain punctuation -TD but you still will be -- in contrary to other browsers -- be redirected to the wrong site. E.g. lynx http://google.com?@www.debian.org/ will/should still direct you to the wrong place. I'm not aware of a "fix" yet. Regards and hope this clarifies why this was not marked as fixed with the 2.8.9dev.10 upload, Salvatore p.s.: The mail via carnil@moszumanska.d.o did not arrive, but I was lurking in d-lts so saw you mail. I think mails to username@moszumanska.d.o are not correctly delivered to username@d.o (but I might be wrong). In previous alioth setups I think to remember this worked correctly.