Re: [pkg-lynx-maint] [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?')

To: Thomas Dickey <dickey@his.com>
Cc: Debian Lynx Packaging Team <pkg-lynx-maint@lists.alioth.debian.org>, Debian Security Team <team@security.debian.org>, Brian May <bam@debian.org>, debian-lts@lists.debian.org, Lynx Development <lynx-dev@nongnu.org>
Subject: Re: [pkg-lynx-maint] [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?')
From: Axel Beckert <abe@debian.org>
Date: Wed, 16 Nov 2016 00:30:59 +0100
Message-id: <[🔎] 20161115233056.GZ5130@sym.noone.org>
Mail-followup-to: Thomas Dickey <dickey@his.com>, Debian Lynx Packaging Team <pkg-lynx-maint@lists.alioth.debian.org>, Debian Security Team <team@security.debian.org>, Brian May <bam@debian.org>, debian-lts@lists.debian.org, Lynx Development <lynx-dev@nongnu.org>
In-reply-to: <[🔎] 20161115100616.GA17665@vmw-debian7-64.jexium-island.net>
References: <[🔎] 87a8d28rln.fsf@prune.linuxpenguins.xyz> <[🔎] 20161114075334.GA27784@lorien.valinor.li> <[🔎] 20161114125531.GS5130@sym.noone.org> <[🔎] 20161114230521.GB17430@vmw-debian7-64.jexium-island.net> <[🔎] 874m39jjuw.fsf@prune.linuxpenguins.xyz> <[🔎] 20161115090720.GA7604@vmw-debian7-64.jexium-island.net> <[🔎] 20161115100616.GA17665@vmw-debian7-64.jexium-island.net>

Hi Thomas,

Thomas Dickey wrote:
> > > Alert!: User/password may appear to be a hostname: 'google.com?' (e.g, 'google.com')
> > > 
> > > Then it takes me to http://www.debian.org/
> > 
> > yes - and I was using the trace to see if I'd gotten the right host.
> > The trace is (based on strace...) incorrect.  I'll fix that.
> 
> Here's the change which I just applied, which seems to work.

At least fixes the redirect target for me.

> If there's no further changes needed, I'll release that as dev.11

I though wonder if the "User/password may appear to be a
hostname" alert is now still needed for that case.

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Reply to:

Follow-Ups:
- Re: [pkg-lynx-maint] [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?')
  - From: Thomas Dickey <dickey@his.com>

References:
- CVE-2016-9179
  - From: Brian May <bam@debian.org>
- Re: CVE-2016-9179
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: CVE-2016-9179 (invalid URL parsing with '?')
  - From: Axel Beckert <abe@debian.org>
- Re: [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?')
  - From: Thomas Dickey <dickey@his.com>
- Re: [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?')
  - From: Brian May <bam@debian.org>
- Re: [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?')
  - From: Thomas Dickey <dickey@his.com>
- Re: [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?')
  - From: Thomas Dickey <dickey@his.com>

Prev by Date: Re: [pkg-lynx-maint] [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?')
Next by Date: Re: [pkg-lynx-maint] [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?')
Previous by thread: Re: [pkg-lynx-maint] [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?')
Next by thread: Re: [pkg-lynx-maint] [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?')
Index(es):
- Date
- Thread