000317 Klaus Weide forwarded:
> Date: Fri, 17 Mar 2000 11:00:06 -0500
> From: Servio Medina <[EMAIL PROTECTED]>
> Subject: lynx 2.8.x - 'special URLs' anti-spoofing protection is weak
> I just scanned through the posts that are archived at
> http://www.flora.org/lynx-dev/html/month111999/
> to obtain further understanding of what security threats truly exist
> and what measures have been/are being taken to address these.
> A recent FreeBSD Security Announcement has brought more attention
> to this issue & I am hoping to receive appropriate clarification.
> I work for Infrastructure Defense, which provides private publications
> to Fortune 500 companies about information/computer security trends.
> I strive to contact the appropriate parties whenever there is a question
> as to the veracity of a post, claim, other.
very fair & decent: presumably, TD's response clarifies. however, ...
> FreeBSD-SA-00:08 Security Advisory
> Topic: Lynx ports contain numerous buffer overflows
> Category: ports
> Module: lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current
> Announced: 2000-03-15
NB it is dated this week, not 6 mths ago .
> Affects: Ports collection before the correction date.
> Corrected: See below.
> FreeBSD only: NO
-- snip --
> II. Problem Description
> The lynx software is written in a very insecure style
> & contains numerous potential and several proven security vulnerabilities
> (publicized on BugTraq mailing list) exploitable by a malicious server.
if Lynx were a commercial operation,
wouldn't we be reaching for our lawyers right at this point?
this is a wild & unsubstantiated claim, widely distributed,
irresponsibly ignoring the latest development version(s)
& Lynx discussions on the subject.
we would deny any truth to their claim as of 000315, wouldn't we?
-- snip --
> III. Impact
> A malicious server which is visited by a user with the lynx browser
> can exploit the browser security holes
> in order to execute arbitrary code as the local user.
-- snip --
> IV. Workaround
> Remove the lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current ports,
> if you you have installed them.
> V. Solution
> Unfortunately, there is no simple fix to the security problems
> with the lynx code: it will require a full review
> by the lynx development team and recoding of the affected sections
> with a more security-conscious attitude.
this outfit are telling people not to use Lynx
on the ground that it is dangerously insecure.
do we accept that assessment? again, wouldn't a commercial company sue?
-- snip --
--
========================,,============================================
SUPPORT ___________//___, Philip Webb : [EMAIL PROTECTED]
ELECTRIC /] [] [] [] [] []| Centre for Urban & Community Studies
TRANSIT `-O----------O---' University of Toronto
