> very fair & decent: presumably, TD's response clarifies. however, ...
I did have a short conversation with the 'security officer'.
He stopped responding when I asked for what version, what bug.
> > FreeBSD-SA-00:08 Security Advisory
> > Topic: Lynx ports contain numerous buffer overflows
> > Category: ports
> > Module: lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current
> > Announced: 2000-03-15
>
> NB it is dated this week, not 6 mths ago .
true (but they'll take the attitude that they're determining what's "current").
I took a tour through their web cvs interface to determine what they're
calling "current".
> > Affects: Ports collection before the correction date.
> > Corrected: See below.
> > FreeBSD only: NO
this of course is inaccurate (other distributions have more-current "current")
> -- snip --
> > II. Problem Description
> > The lynx software is written in a very insecure style
> > & contains numerous potential and several proven security vulnerabilities
> > (publicized on BugTraq mailing list) exploitable by a malicious server.
>
> if Lynx were a commercial operation,
> wouldn't we be reaching for our lawyers right at this point?
> this is a wild & unsubstantiated claim, widely distributed,
> irresponsibly ignoring the latest development version(s)
> & Lynx discussions on the subject.
> we would deny any truth to their claim as of 000315, wouldn't we?
The actual lynx-current does fix those & other problems.
> this outfit are telling people not to use Lynx
> on the ground that it is dangerously insecure.
> do we accept that assessment? again, wouldn't a commercial company sue?
some would (but look at the original source of the comments - someone
who posts articles claiming that a file opened for read can overwrite
arbitrary files on the system ;-)
> SUPPORT ___________//___, Philip Webb : [EMAIL PROTECTED]
--
Thomas E. Dickey
[EMAIL PROTECTED]
http://www.clark.net/pub/dickey
