Bug 257812 - patch and update ww/lynx-current affected by CVE-2021-38165
Summary: patch and update ww/lynx-current affected by CVE-2021-38165
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Adam Weinberger
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-08-13 16:03 UTC by Piotr Smyrak
Modified: 2021-08-15 21:07 UTC (History)
1 user (show)

See Also:


Attachments
patch to the www/lynx-current port (4.54 KB, patch)
2021-08-13 16:03 UTC, Piotr Smyrak
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Piotr Smyrak 2021-08-13 16:03:47 UTC
Created attachment 227163 [details]
patch to the www/lynx-current port

www/lynx* ports are vulnerable to CVE-2021-38165

They will leak HTTP username and password by not stripping them when constructing a hostname for HTTPS SNI. See [1] for the vulnerability thread.

The attached patch updates the www/lynx-current port to an August release of lynx2.9.0dev.9 as published on [2], adjusts the FTP master site according to the release announcement, and updates makefile.in patch not to conflict with the newer version.

1. https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00000.html
2. https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00008.html
Comment 1 commit-hook freebsd_committer freebsd_triage 2021-08-15 05:01:57 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=a48d43a45f5f77b77b4f9a8d2827bcfd23b33e77

commit a48d43a45f5f77b77b4f9a8d2827bcfd23b33e77
Author:     Piotr Smyrak <ps.ports@smyrak.com>
AuthorDate: 2021-08-15 04:59:43 +0000
Commit:     Adam Weinberger <adamw@FreeBSD.org>
CommitDate: 2021-08-15 04:59:43 +0000

    www/lynx-current: Update to 2.9.0d9

    PR:             257812

 www/lynx-current/Makefile                |  5 ++--
 www/lynx-current/distinfo                |  4 +--
 www/lynx-current/files/patch-makefile.in | 47 ++++++++++++++++----------------
 www/lynx-current/pkg-plist               |  1 +
 4 files changed, 30 insertions(+), 27 deletions(-)
Comment 2 commit-hook freebsd_committer freebsd_triage 2021-08-15 21:05:52 UTC
A commit in branch 2021Q3 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=94fefec6bca40ac94b6abec067264184ed08671e

commit 94fefec6bca40ac94b6abec067264184ed08671e
Author:     Piotr Smyrak <ps.ports@smyrak.com>
AuthorDate: 2021-08-15 04:59:43 +0000
Commit:     Adam Weinberger <adamw@FreeBSD.org>
CommitDate: 2021-08-15 21:04:55 +0000

    www/lynx-current: Update to 2.9.0d9

    PR:             257812
    (cherry picked from commit a48d43a45f5f77b77b4f9a8d2827bcfd23b33e77)

 www/lynx-current/Makefile                |  5 ++--
 www/lynx-current/distinfo                |  4 +--
 www/lynx-current/files/patch-makefile.in | 47 ++++++++++++++++----------------
 www/lynx-current/pkg-plist               |  1 +
 4 files changed, 30 insertions(+), 27 deletions(-)
Comment 3 Adam Weinberger freebsd_committer freebsd_triage 2021-08-15 21:07:31 UTC
Done. Thanks, Piotr.