Security advisory: lynx
Yaakov S (Cygwin Ports)
yselkowitz@users.sourceforge.net
Sun Nov 13 22:08:00 GMT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Lynx is vulnerable to an issue which allows the remote execution of
arbitrary commands.
iDefense labs discovered a problem within the feature to execute local
cgi-bin programs via the "lynxcgi:" URI handler. Due to a configuration
error, the default settings allow websites to specify commands to run
as the user running Lynx.
Workaround:
Disable "lynxcgi" links by specifying the following directive in
lynx.cfg:
TRUSTED_LYNXCGI:none
Fix:
I've attached a patch for lynx-2.8.5.
More information:
http://security.gentoo.org/glsa/glsa-200511-09.xml
http://bugs.gentoo.org/show_bug.cgi?id=112213
http://www.idefense.com/application/poi/display?id=338&type=vulnerabilities
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Cygwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDd7ldpiWmPGlmQSMRAosWAKDWekpGdWizUy8UdBuSttlFf7C2dgCgwVpf
3D92m9YlsmxJ7xIeRkaNAlQ=
=9nsr
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: lynx-2.8.5-CVE-2005-2929.patch
URL: <http://cygwin.com/pipermail/cygwin-apps/attachments/20051113/65e3bb93/attachment.ksh>
More information about the Cygwin-apps
mailing list