On Mon, Nov 14, 2016 at 06:09:56PM +1100, Brian May wrote:
> Just wondered why you marked CVE-2016-9179 as Slight mitigation in
> 2.8.9dev.10? Is there any documentation that says talks about the
> changes in 2.8.9dev.10?
The update in 2.8.9dev.10 does not really fix the issue (thus the bug
was as well not closed by the maintainer I think), because it only
"improves" the message. I do not have an isolated change at hand, but
documents the 2.8.9dev.10 import:
+* improve warning message when stripping user/password from URL; report on
+ http://seclists.org/oss-sec/2016/q4/322 treated as a Lynx parsing error the
+ punctuation such as "?" which is permitted by RFC-1738 in a user or password
+ field. RFC-3986 subsequently modified this. The improved message points out
+ the possible confusion by users when these fields contain punctuation -TD
but you still will be -- in contrary to other browsers -- be
redirected to the wrong site. E.g.
will/should still direct you to the wrong place.
I'm not aware of a "fix" yet.
Regards and hope this clarifies why this was not marked as fixed with
the 2.8.9dev.10 upload,
p.s.: The mail via email@example.com did not arrive, but I was
lurking in d-lts so saw you mail. I think mails to
firstname.lastname@example.org are not correctly delivered to
email@example.com (but I might be wrong). In previous alioth setups I
think to remember this worked correctly.