Bug 1189354 – VUL-1: CVE-2021-38165: lynx: through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows remote attackers to discover cleartext credentials because they may appear in SNI data.

Bug 1189354 - (CVE-2021-38165) VUL-1: CVE-2021-38165: lynx: through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows remote attackers to discover cleartext credentials because they may appear in SNI data.

(CVE-2021-38165)
Summary:	VUL-1: CVE-2021-38165: lynx: through 2.8.9 mishandles the userinfo subcompone...

Status:	RESOLVED FIXED

Classification:	openSUSE
Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Other
Version:	Leap 15.3
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor (vote)
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/305971/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-08-11 17:16 UTC by Gianluca Gabrielli
Modified:	2021-08-12 07:00 UTC (History)
CC List:	0 users

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gianluca Gabrielli 2021-08-11 17:16:13 UTC

HTParse in Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI,
which allows remote attackers to discover cleartext credentials because they may
appear in SNI data or HTTP headers.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38165
https://www.openwall.com/lists/oss-security/2021/08/07/7
http://seclists.org/oss-sec/2021/q3/80
http://seclists.org/oss-sec/2021/q3/78
https://www.openwall.com/lists/oss-security/2021/08/07/1
http://www.debian.org/security/-1/dsa-4953
https://github.com/w3c/libwww/blob/f010b4cc58d32f34b162f0084fe093f7097a61f0/Library/src/HTParse.c#L118
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38165
http://www.cvedetails.com/cve/CVE-2021-38165/
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991971
https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00000.html
https://lynx.invisible-island.net/current/CHANGES.html
https://bugs.debian.org/991971

Comment 1 Gianluca Gabrielli 2021-08-11 17:16:47 UTC

Please update openSUSE:Factory/lynx to a version >= 2.9.0dev.9

Comment 2 Petr Gajdos 2021-08-12 06:29:16 UTC

Done.

Comment 3 OBSbugzilla Bot 2021-08-12 07:00:06 UTC

This is an autogenerated message for OBS integration:
This bug (1189354) was mentioned in
https://build.opensuse.org/request/show/911537 Factory / lynx