lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <E1KuvRw-0007O0-5d@titan.mandriva.com>
Date: Tue, 28 Oct 2008 14:46:00 -0600
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2008:217 ] lynx


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2008:217
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : lynx
 Date    : October 28, 2008
 Affected: Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0
 _______________________________________________________________________

 Problem Description:

 A flaw was found in the way Lynx handled .mailcap and .mime.types
 configuration files.  If these files were present in the current
 working directory, they would be loaded prior to similar files in
 the user's home directory.  This could allow a local attacker to
 possibly execute arbitrary code as the user running Lynx, if they
 could convince the user to run Lynx in a directory under their control
 (CVE-2006-7234).
 
 A vulnerability was found in the Lynxcgi: URI handler that could allow
 an attacker to create a web page redirecting to a malicious URL that
 would execute arbitrary code as the user running Lynx, if they were
 using the non-default Advanced user mode (CVE-2008-4690).
 
 This update corrects these issues and, in addition, makes Lynx always
 prompt the user before loading a lynxcgi: URI.  As well, the default
 lynx.cfg configuration file marks all lynxcgi: URIs as untrusted.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7234
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4690
 _______________________________________________________________________

 Updated Packages:

 Corporate 3.0:
 52caf1fa68f721262582a92b206d37cd  corporate/3.0/i586/lynx-2.8.5-1.4.C30mdk.i586.rpm 
 3c047c7623e2225f8756b0c5bafda34d  corporate/3.0/SRPMS/lynx-2.8.5-1.4.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 5cb50d077a5e7e7e0a013a2587d56c18  corporate/3.0/x86_64/lynx-2.8.5-1.4.C30mdk.x86_64.rpm 
 3c047c7623e2225f8756b0c5bafda34d  corporate/3.0/SRPMS/lynx-2.8.5-1.4.C30mdk.src.rpm

 Corporate 4.0:
 e1759c02ffc4435cd36344c6e5739a0f  corporate/4.0/i586/lynx-2.8.5-4.4.20060mlcs4.i586.rpm 
 18e40caa595ef9220aef5d988c656ef4  corporate/4.0/SRPMS/lynx-2.8.5-4.4.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 4c89dec9780616b58132b4632f81ec38  corporate/4.0/x86_64/lynx-2.8.5-4.4.20060mlcs4.x86_64.rpm 
 18e40caa595ef9220aef5d988c656ef4  corporate/4.0/SRPMS/lynx-2.8.5-4.4.20060mlcs4.src.rpm

 Multi Network Firewall 2.0:
 b7f3f30424e5ce4c4592f1ec0ff70e04  mnf/2.0/i586/lynx-2.8.5-1.4.C30mdk.i586.rpm 
 5cabc724908b48f46f7eb039390db4d0  mnf/2.0/SRPMS/lynx-2.8.5-1.4.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJB06HmqjQ0CJFipgRAuS9AJ9pVisSYqgyYI0jhG3FEX0cPK5bxACfe6Ry
YAnREqCMTMmC2VYPrYF2Hlw=
=/vjO
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ