Skip to navigation

Security Advisory Updated lynx packages fix CRLF injection vulnerability

Advisory: RHSA-2003:029-08
Type: Security Advisory
Severity: N/A
Issued on: 2003-01-28
Last updated on: 2003-07-02
Affected Products: Red Hat Linux 6.2
Red Hat Linux 7.0
Red Hat Linux 7.1
Red Hat Linux 7.1 for iSeries
Red Hat Linux 7.1 for pSeries
Red Hat Linux 7.2
Red Hat Linux 7.3
Red Hat Linux 8.0
CVEs (cve.mitre.org): CVE-2002-1405

Details

Updated lynx packages are available that fix an error in the way lynx
parses its command line arguments, which can lead to faked headers being
sent to a web server.

[Updated 16 April 2003]
Added packages for Red Hat Linux on IBM iSeries and pSeries systems.

Lynx is a character-cell Web browser, suitable for running on terminals
such as VT100.

Lynx constructs its HTTP queries from the command line (or WWW_HOME
environment variable) without regard to special characters such as carriage
returns or linefeeds. When given a URL containing such special characters,
extra headers could be inserted into the request. This could cause scripts
using lynx to fetch data from the wrong site from servers with virtual hosting.

Users of Lynx are advised to upgrade to these erratum packages, which
contain a patch to correct this isssue.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Linux 6.2

SRPMS:
ftp://updates.redhat.com/rhn/repository/NULL/lynx/2.8.3-2.1/SRPMS/lynx-2.8.3-2.1.src.rpm
Missing file
    MD5: ee2ec726b41f93d3787abbcf2760cdfe
 
IA-32:
ftp://updates.redhat.com/rhn/repository/NULL/lynx/2.8.3-2.1/i386/lynx-2.8.3-2.1.i386.rpm
Missing file
    MD5: 4f8b6cafe29d38e498e8d495ec687e8d
 
Red Hat Linux 7.0

SRPMS:
ftp://updates.redhat.com/rhn/repository/NULL/lynx/2.8.4-9.1/SRPMS/lynx-2.8.4-9.1.src.rpm
Missing file
    MD5: 2ef0ea9eaacd3745869855b3e09b3094
 
IA-32:
ftp://updates.redhat.com/rhn/repository/NULL/lynx/2.8.4-9.1/i386/lynx-2.8.4-9.1.i386.rpm
Missing file
    MD5: fdf7f4ede3587e9ee9bad3b722da5f0e
 
Red Hat Linux 7.1

SRPMS:
ftp://updates.redhat.com/rhn/repository/NULL/lynx/2.8.4-9.1/SRPMS/lynx-2.8.4-9.1.src.rpm
Missing file
    MD5: 2ef0ea9eaacd3745869855b3e09b3094
 
IA-32:
ftp://updates.redhat.com/rhn/repository/NULL/lynx/2.8.4-9.1/i386/lynx-2.8.4-9.1.i386.rpm
Missing file
    MD5: fdf7f4ede3587e9ee9bad3b722da5f0e
 
Red Hat Linux 7.1 for iSeries

SRPMS:
ftp://updates.redhat.com/rhn/repository/NULL/lynx/2.8.4-9.1/SRPMS/lynx-2.8.4-9.1.src.rpm
Missing file
    MD5: 2ef0ea9eaacd3745869855b3e09b3094
 
iSeries:
ftp://updates.redhat.com/rhn/repository/NULL/lynx/2.8.4-9.1/ppc/lynx-2.8.4-9.1.ppc.rpm
Missing file
    MD5: 92d6d356b53ce75788361536ebfb851f
 
Red Hat Linux 7.1 for pSeries

SRPMS:
ftp://updates.redhat.com/rhn/repository/NULL/lynx/2.8.4-9.1/SRPMS/lynx-2.8.4-9.1.src.rpm
Missing file
    MD5: 2ef0ea9eaacd3745869855b3e09b3094
 
pSeries:
ftp://updates.redhat.com/rhn/repository/NULL/lynx/2.8.4-9.1/ppc/lynx-2.8.4-9.1.ppc.rpm
Missing file
    MD5: 92d6d356b53ce75788361536ebfb851f
 
Red Hat Linux 7.2

SRPMS:
ftp://updates.redhat.com/rhn/public/2703533/lynx/2.8.4-18.1/SRPMS/lynx-2.8.4-18.1.src.rpm
Missing file
    MD5: 45dbab8b692beafc8e9bfb367bc37892
ftp://updates.redhat.com/rhn/repository/NULL/lynx/2.8.4-18.1/SRPMS/lynx-2.8.4-18.1.src.rpm
Missing file
    MD5: 45dbab8b692beafc8e9bfb367bc37892
 
IA-32:
ftp://updates.redhat.com/rhn/repository/NULL/lynx/2.8.4-18.1/i386/lynx-2.8.4-18.1.i386.rpm
Missing file
    MD5: da2e0cc072fe3f313a4cd1ba1d2a9229
 
IA-64:
ftp://updates.redhat.com/rhn/repository/NULL/lynx/2.8.4-18.1/ia64/lynx-2.8.4-18.1.ia64.rpm
Missing file
    MD5: c9f787ae94edc0182b015524593f82a7
 
Red Hat Linux 7.3

SRPMS:
ftp://updates.redhat.com/rhn/public/2703533/lynx/2.8.4-18.1/SRPMS/lynx-2.8.4-18.1.src.rpm
Missing file
    MD5: 45dbab8b692beafc8e9bfb367bc37892
ftp://updates.redhat.com/rhn/repository/NULL/lynx/2.8.4-18.1/SRPMS/lynx-2.8.4-18.1.src.rpm
Missing file
    MD5: 45dbab8b692beafc8e9bfb367bc37892
 
IA-32:
ftp://updates.redhat.com/rhn/repository/NULL/lynx/2.8.4-18.1/i386/lynx-2.8.4-18.1.i386.rpm
Missing file
    MD5: da2e0cc072fe3f313a4cd1ba1d2a9229
 
Red Hat Linux 8.0

SRPMS:
ftp://updates.redhat.com/rhn/repository/NULL/lynx/2.8.5-7.1/SRPMS/lynx-2.8.5-7.1.src.rpm
Missing file
    MD5: 6e0af76d0632ec353555843a84bb2a02
 
IA-32:
ftp://updates.redhat.com/rhn/repository/NULL/lynx/2.8.5-7.1/i386/lynx-2.8.5-7.1.i386.rpm
Missing file
    MD5: 96fd9d05a357e6a0d11d5a2916b90485
 

References


Keywords

CRLF, lynx


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/