Created attachment 227163 [details] patch to the www/lynx-current port www/lynx* ports are vulnerable to CVE-2021-38165 They will leak HTTP username and password by not stripping them when constructing a hostname for HTTPS SNI. See [1] for the vulnerability thread. The attached patch updates the www/lynx-current port to an August release of lynx2.9.0dev.9 as published on [2], adjusts the FTP master site according to the release announcement, and updates makefile.in patch not to conflict with the newer version. 1. https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00000.html 2. https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00008.html
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=a48d43a45f5f77b77b4f9a8d2827bcfd23b33e77 commit a48d43a45f5f77b77b4f9a8d2827bcfd23b33e77 Author: Piotr Smyrak <ps.ports@smyrak.com> AuthorDate: 2021-08-15 04:59:43 +0000 Commit: Adam Weinberger <adamw@FreeBSD.org> CommitDate: 2021-08-15 04:59:43 +0000 www/lynx-current: Update to 2.9.0d9 PR: 257812 www/lynx-current/Makefile | 5 ++-- www/lynx-current/distinfo | 4 +-- www/lynx-current/files/patch-makefile.in | 47 ++++++++++++++++---------------- www/lynx-current/pkg-plist | 1 + 4 files changed, 30 insertions(+), 27 deletions(-)
A commit in branch 2021Q3 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=94fefec6bca40ac94b6abec067264184ed08671e commit 94fefec6bca40ac94b6abec067264184ed08671e Author: Piotr Smyrak <ps.ports@smyrak.com> AuthorDate: 2021-08-15 04:59:43 +0000 Commit: Adam Weinberger <adamw@FreeBSD.org> CommitDate: 2021-08-15 21:04:55 +0000 www/lynx-current: Update to 2.9.0d9 PR: 257812 (cherry picked from commit a48d43a45f5f77b77b4f9a8d2827bcfd23b33e77) www/lynx-current/Makefile | 5 ++-- www/lynx-current/distinfo | 4 +-- www/lynx-current/files/patch-makefile.in | 47 ++++++++++++++++---------------- www/lynx-current/pkg-plist | 1 + 4 files changed, 30 insertions(+), 27 deletions(-)
Done. Thanks, Piotr.