Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog - Lynx user? Upgrade it! InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Lynx user? Upgrade it!

Published: 2005-11-15
Last Updated: 2005-11-15 15:59:27 UTC
by Pedro Bueno (Version: 4)
0 comment(s)
If you are a lynx user, prepare yourself to upgrade it.
According to an advisory from iDefense, there is a Command Injection Vulnerability on it, that "could allow attackers to execute arbitrary commands with the privileges of the underlying user.".

Some patch links:

Development version 2.8.6dev.15 has been released to address this issue and is available from the following URLs:

 http://lynx.isc.org/current/lynx2.8.6dev.15.tar.Z
 http://lynx.isc.org/current/lynx2.8.6dev.15.tar.bz2
 http://lynx.isc.org/current/lynx2.8.6dev.15.tar.gz
 http://lynx.isc.org/current/lynx2.8.6dev.15.zip

Alternately, an incremental patch is available at:
 http://lynx.isc.org/current/2.8.6dev.15.patch.gz

There is also a workaround (described in the bulletin) for those who can't upgrade.

Disable "lynxcgi" links by specifying the following directive in lynx.cfg:

    TRUSTED_LYNXCGI:none


-------------------------------------------------------------------
Handler on Duty: Pedro Bueno (pbueno //%%// isc. sans. org)
Keywords:
0 comment(s)
Diary Archives