Re: CVE-2016-9179
Hi Brian,
On Mon, Nov 14, 2016 at 06:09:56PM +1100, Brian May wrote:
> Hello,
>
> Just wondered why you marked CVE-2016-9179 as Slight mitigation in
> 2.8.9dev.10? Is there any documentation that says talks about the
> changes in 2.8.9dev.10?
The update in 2.8.9dev.10 does not really fix the issue (thus the bug
was as well not closed by the maintainer I think), because it only
"improves" the message. I do not have an isolated change at hand, but
https://anonscm.debian.org/cgit/pkg-lynx/lynx.git/commit/?id=cac725f0f5c4bb35091a06e90c876195e907ea9e
documents the 2.8.9dev.10 import:
+* improve warning message when stripping user/password from URL; report on
+ http://seclists.org/oss-sec/2016/q4/322 treated as a Lynx parsing error the
+ punctuation such as "?" which is permitted by RFC-1738 in a user or password
+ field. RFC-3986 subsequently modified this. The improved message points out
+ the possible confusion by users when these fields contain punctuation -TD
but you still will be -- in contrary to other browsers -- be
redirected to the wrong site. E.g.
lynx http://google.com?@www.debian.org/
will/should still direct you to the wrong place.
I'm not aware of a "fix" yet.
Regards and hope this clarifies why this was not marked as fixed with
the 2.8.9dev.10 upload,
Salvatore
p.s.: The mail via carnil@moszumanska.d.o did not arrive, but I was
lurking in d-lts so saw you mail. I think mails to
username@moszumanska.d.o are not correctly delivered to
username@d.o (but I might be wrong). In previous alioth setups I
think to remember this worked correctly.
Reply to: