Lynx-2.8.5 Vulnerability

[archaic@…]

The link has the info. Upstream hasn't made a security release.

[Randy McMurchy]

It appears the link provided to review the security vulnerability is password protected. Anybody have any idea if these advisories are located elsewhere?

I'm going to do some googling in the meantime.

[Randy McMurchy]

Updated the link to the security advisory.

It appears the easiest way to address this issue until a new version of Lynx is released is to follow the instructions in the adivsory and install the following directive in the lynx.cfg file: TRUSTED_LYNXCGI:none

This seems easier than using the 15 level revision patch of the development version of Lynx.

[Randy McMurchy]

Looking at this issue further (hoping that the original security vulnerability was the one I pointed the new link to), I don't think the issue affects BLFS as we don't enable the 'lynxcgi' feature by default.

As is mentioned in the security bulletin, you must explicitly compile lynxcgi support into the build using the --enable-lynxcgi-links switch, which BLFS does not by default.

I think simply mentioning this switch in the "command explanations" section with a note to not use it because of the security vulnerability is enough to close the bug.

I'll wait for Archaic to comment and/or close the bug after I update Lynx.

[Randy McMurchy]

Added a note to the Lynx instructions that identifies, and shows how to avoid this security vulnerability.

I believe the bug is ready to close, however I'll wait for Archaic to comment and/or close it.

[archaic@…]

Looks good.