Fw: [OpenPKG-SA-2003.011] OpenPKG Security Advisory (lynx)

Niki Guldbrand nikig at vip.cybercity.dk
Wed Feb 19 00:04:13 GMT 2003 


Begin forwarded message:

Date: Tue, 18 Feb 2003 17:32:03 +0100
From: OpenPKG <openpkg at openpkg.org>
To: bugtraq at securityfocus.com
Subject: [OpenPKG-SA-2003.011] OpenPKG Security Advisory (lynx)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                            The OpenPKG Project
http://www.openpkg.org/security.html              http://www.openpkg.org
openpkg-security at openpkg.org                         openpkg at openpkg.org
OpenPKG-SA-2003.011                                          18-Feb-2003
________________________________________________________________________

Package:             lynx
Vulnerability:       CRLF injection vulnerability
OpenPKG Specific:    no

Affected Releases:   Affected Packages:          Corrected Packages:
OpenPKG CURRENT      <= lynx-2.8.4-20020206      >= lynx-2.8.4-20021216
OpenPKG 1.2          <= N.A.                     >= lynx-2.8.4-1.2.0
OpenPKG 1.1          <= lynx-2.8.4-1.1.0         >= lynx-2.8.4-1.1.1

Affected Releases:   Dependent Packages: none

Description:
  Ulf Harnhammar posted information [0] reporting a "CRLF Injection"
  problem with Lynx [1] 2.8.4 and earlier. It is possible to inject
  false HTTP headers into an HTTP request that is provided on the
  command line, via a URL containing encoded carriage return, line feed,
  and other whitespace characters. This way, scripts that use Lynx for
  downloading files access the wrong site on a web server with multiple
  virtual hosts. The Common Vulnerabilities and Exposures (CVE) project
  assigned the id CAN-2002-1405 [2] to the problem.

  Please check whether you are affected by running "<prefix>/bin/rpm -q
  lynx". If you have the "lynx" package installed and its version is
  affected (see above), we recommend that you immediately upgrade it
  (see Solution). [3][4]

Solution:
  Select the updated source RPM appropriate for your OpenPKG release
  [5], fetch it from the OpenPKG FTP service [6] or a mirror location,
  verify its integrity [7], build a corresponding binary RPM from it [3]
  and update your OpenPKG installation by applying the binary RPM [4].
  For the release OpenPKG 1.1, perform the following operations to
  permanently fix the security problem (for other releases adjust
  accordingly).

  $ ftp ftp.openpkg.org
  ftp> bin
  ftp> cd release/1.1/UPD
  ftp> get lynx-2.8.4-1.1.1.src.rpm
  ftp> bye
  $ <prefix>/bin/rpm -v --checksig lynx-2.8.4-1.1.1.src.rpm
  $ <prefix>/bin/rpm --rebuild lynx-2.8.4-1.1.1.src.rpm
  $ su -
  # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/lynx-2.8.4-1.1.1.*.rpm
________________________________________________________________________

References:
  [0] http://www.mail-archive.com/bugtraq@securityfocus.com/msg08897.html
  [1] http://lynx.isc.org/
  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1405
  [3] http://www.openpkg.org/tutorial.html#regular-source
  [4] http://www.openpkg.org/tutorial.html#regular-binary
  [5] ftp://ftp.openpkg.org/release/1.1/UPD/lynx-2.8.4-1.1.1.src.rpm
  [6] ftp://ftp.openpkg.org/release/1.1/UPD/
  [7] http://www.openpkg.org/security.html#signature
________________________________________________________________________

For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG <openpkg at openpkg.org>" (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (http://www.gnupg.org/). For instance, pipe this message to
the command "gpg --verify --keyserver keyserver.pgp.com".
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg at openpkg.org>

iD8DBQE+UlhugHWT4GPEy58RAr9NAKC7MXEp1KbGF9hBdS54B0lAg5ZeSACg0tKk
ugQtWNDCopogBsrxmMgAlx0=
=+o01
-----END PGP SIGNATURE-----


-- 
Med Venlig Hilsen / Best Regards
                              |  Teleservice Esbjerg A/S
Niki Guldbrand                |  Salingsundvej 4
IT-Administrator              |  6715 Esbjerg N
                              |  Denmark
Phone         : +45 79144544  |
Direct Phone  : +45 79144589  |  Web : http://www.teleservice.com
Fax           : +45 79144599  |

E-Mail        : Niki.Guldbrand at teleservice.com

--------------
Don't stop to stomp ants when the elephants are stampeding.
--------------

More information about the Lunar-dev mailing list