lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <m1Fjckc-000oixC__4192.52022770724$1148659164$gmane$org@finlandia.Infodrom.North.DE>
Date: Fri, 26 May 2006 15:53:14 +0200 (CEST)
From: joey@...odrom.org (Martin Schulze)
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 1076-1] New lynx packages fix denial of service


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1076-1                    security@...ian.org
http://www.debian.org/security/                             Martin Schulze
May 26th, 2006                          http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : lynx
Vulnerability  : programming error
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2004-1617
BugTraq ID     : 11443
Debian Bug     : 296340

Michal Zalewski discovered that lynx, the popular text-mode WWW
Browser, is not able to grok invalid HTML including a TEXTAREA tag
with a large COLS value and a large tag name in an element that is not
terminated, and loops forever trying to render the broken HTML.

For the old stable distribution (woody) this problem has been fixed in
version 2.8.4.1b-3.4.

For the stable distribution (sarge) this problem has been fixed in
version 2.8.5-2sarge2.

For the unstable distribution (sid) this problem has been fixed in
version 2.8.5-2sarge2.

We recommend that you upgrade your lynx package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4.dsc
      Size/MD5 checksum:      581 a9853909c61c5ef2fcc8868599f9b875
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4.diff.gz
      Size/MD5 checksum:    16334 74bce8912c28f979c33055a012cf29d6
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b.orig.tar.gz
      Size/MD5 checksum:  2557510 053a10f76b871e3944c11c7776da7f7a

  Alpha architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_alpha.deb
      Size/MD5 checksum:  1610344 3e1ec04a0c6532506519e8051a0067b6

  ARM architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_arm.deb
      Size/MD5 checksum:  1487906 a06ad20f4d8a0ce1cc0d59a0dfa24e9b

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_i386.deb
      Size/MD5 checksum:  1444914 cb6449afd1e3029d06606bf823e0f064

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_ia64.deb
      Size/MD5 checksum:  1762966 cb0b05d5cb148372fd2cd3d2e99843cc

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_hppa.deb
      Size/MD5 checksum:  1555454 79392b2914654a7d4519247d9584e816

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_m68k.deb
      Size/MD5 checksum:  1405980 1df4dff2fc4191ee512811e0ac42c361

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_mips.deb
      Size/MD5 checksum:  1508022 d5b58fc5611b1ea1d37bc5a1034478f1

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_mipsel.deb
      Size/MD5 checksum:  1504120 1078ef11583d9664fecd2d9d5712ecad

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_powerpc.deb
      Size/MD5 checksum:  1491256 2967d2f0c3a722b4b42a2b06510aabcc

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_s390.deb
      Size/MD5 checksum:  1463536 5a5692d6d572ef301d052e7e8c62d004

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_sparc.deb
      Size/MD5 checksum:  1492926 6bb21df62a773736a1f694cedacea3de


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2.dsc
      Size/MD5 checksum:      616 241c00a777c333b7270d8dbdaa4ad210
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2.diff.gz
      Size/MD5 checksum:    17357 22b394977569bbeda207bfb5bcb42175
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5.orig.tar.gz
      Size/MD5 checksum:  2984352 5f516a10596bd52c677f9bfd9579bc28

  Alpha architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2_alpha.deb
      Size/MD5 checksum:  1994618 4a23d6234470f59a47100bcd13d18a51

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2_amd64.deb
      Size/MD5 checksum:  1881876 046312043fffdbcf5ad218074e21e119

  ARM architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2_arm.deb
      Size/MD5 checksum:  1853176 0d33e5835a479accab8c3282cdc19c14

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2_i386.deb
      Size/MD5 checksum:  1854894 1e525c61aac1e0fac0ddad4d9e15d8f6

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2_ia64.deb
      Size/MD5 checksum:  2128572 78bfa4c383e41d352b67595da80904c9

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2_hppa.deb
      Size/MD5 checksum:  1909746 371fb69c98ff2e510861ba210ec11bda

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2_m68k.deb
      Size/MD5 checksum:  1780836 bdf8b0d6a711cf21202ef86189cfb8bf

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2_mips.deb
      Size/MD5 checksum:  1894118 9be5baba4f5e3f99b618553c4252b289

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2_mipsel.deb
      Size/MD5 checksum:  1889604 11840739365387bb4741099f9310c77c

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2_powerpc.deb
      Size/MD5 checksum:  1878302 4885a52c8ad1992335f5c9f87ef522cf

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2_s390.deb
      Size/MD5 checksum:  1866982 8125a8d85817c29d3984fdb2d2ac4df6

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2_sparc.deb
      Size/MD5 checksum:  1861484 407b283a4c8656a0ef1a5935780c8204


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEdwhJW5ql+IAeqTIRAr+IAJ9Qn7H5oFJJYyZuN8oaxgUXsZAy+ACgjRn7
aWMRPJtnJ5Xf2D5V0OuRTic=
=n7+V
-----END PGP SIGNATURE-----



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ