[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2016-9179

Hi Brian,

On Mon, Nov 14, 2016 at 06:09:56PM +1100, Brian May wrote:
> Hello,
> Just wondered why you marked CVE-2016-9179 as Slight mitigation in
> 2.8.9dev.10? Is there any documentation that says talks about the
> changes in 2.8.9dev.10?

The update in 2.8.9dev.10 does not really fix the issue (thus the bug
was as well not closed by the maintainer I think), because it only
"improves" the message. I do not have an isolated change at hand, but
documents the 2.8.9dev.10 import:

+* improve warning message when stripping user/password from URL; report on
+  http://seclists.org/oss-sec/2016/q4/322 treated as a Lynx parsing error the
+  punctuation such as "?" which is permitted by RFC-1738 in a user or password
+  field.  RFC-3986 subsequently modified this.  The improved message points out
+  the possible confusion by users when these fields contain punctuation -TD

but you still will be -- in contrary to other browsers -- be
redirected to the wrong site. E.g. 

lynx http://google.com?@www.debian.org/

will/should still direct you to the wrong place.

I'm not aware of a "fix" yet.

Regards and hope this clarifies why this was not marked as fixed with
the 2.8.9dev.10 upload,


p.s.: The mail via carnil@moszumanska.d.o did not arrive, but I was
      lurking in d-lts so saw you mail. I think mails to
      username@moszumanska.d.o are not correctly delivered to
      username@d.o (but I might be wrong). In previous alioth setups I
      think to remember this worked correctly.

Reply to: