Operating System:

Published:

13 December 2002

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

            ESB-2002.702 -- Debian Security Advisory DSA-210-1
                            lynx CRLF injection
                             13 December 2002

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                lynx
                        lynx-ssl
Vendor:                 Debian
Operating System:       Debian GNU/Linux 2.2
                        Debian GNU/Linux 3.0
                        Linux
                        UNIX
Impact:                 Reduced Security
Access Required:        Existing Account

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
Debian Security Advisory DSA-210-1                   security@debian.org
http://www.debian.org/security/                         Wichert Akkerman
December 13, 2002
- - ------------------------------------------------------------------------


Package        : lynx, lynx-ssl
Problem type   : CRLF injection
Debian-specific: no

lynx (a text-only web browser) did not properly check for illegal
characters in all places, including processing of command line options,
which could be used to insert extra HTTP headers in a request.

For Debian GNU/Linux 2.2/potato this has been fixed in version 2.8.3-1.1
of the lynx package and version 2.8.3.1-1.1 of the lynx-ssl package.

For Debian GNU/Linux 3.0/woody this has been fixed in version 2.8.4.1b-3.2
of the lynx package and version 1:2.8.4.1b-3.1 of the lynx-ssl package.

- - ------------------------------------------------------------------------

Obtaining updates:

  By hand:
    wget URL
        will fetch the file for you.
    dpkg -i FILENAME.deb
        will install the fetched file.

  With apt:
    deb http://security.debian.org/ stable/updates main
        added to /etc/apt/sources.list will provide security updates

Additional information can be found on the Debian security webpages
at http://www.debian.org/security/

- - ------------------------------------------------------------------------


Debian GNU/Linux 2.2 alias potato
- - ---------------------------------

  Potato was released for alpha, arm, i386, m68k, powerpc and sparc.


  Source archives:

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1.orig.tar.gz
      Size/MD5 checksum:  2058352 2ee38e4b05d587a787c33bff9085c098
    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1.dsc
      Size/MD5 checksum:     1279 3eccb5692780db83f078013ff8796224
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1.dsc
      Size/MD5 checksum:     1229 2924513df600a7cc6b4d29987a325107
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3.orig.tar.gz
      Size/MD5 checksum:  2024975 0fc239287592e885231e4be2fb2cd755
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1.diff.gz
      Size/MD5 checksum:    20091 507a328f301a1c37471a69e60df4479d
    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1.diff.gz
      Size/MD5 checksum:   101630 59d4dfb527584001374bebdcc9760623

  alpha architecture (DEC Alpha)

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1_alpha.deb
      Size/MD5 checksum:  1165112 dce2288ab84eaac8851c657ab271f5cd
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_alpha.deb
      Size/MD5 checksum:  1155516 775381bbf1c7c5f3177b17369969fda7

  arm architecture (ARM)

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1_arm.deb
      Size/MD5 checksum:  1018784 ba8d2ee2271ebb56216e4f9c67690f6a
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_arm.deb
      Size/MD5 checksum:  1006492 85a7c675d239cce67e4d7076d69e8c48

  i386 architecture (Intel ia32)

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_i386.deb
      Size/MD5 checksum:   973310 9f591d8c7e97b1bd84da2f841397a75c
    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1_i386.deb
      Size/MD5 checksum:   980678 ef6cf5f0e4a8781b14876639fafa78be

  m68k architecture (Motorola Mc680x0)

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_m68k.deb
      Size/MD5 checksum:   928930 b77c252b5da24613fd6b24ee7b8f09f5
    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1_m68k.deb
      Size/MD5 checksum:   938162 e3b5992515dfb3f537ee9ece56a05083

  powerpc architecture (PowerPC)

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1_powerpc.deb
      Size/MD5 checksum:  1026988 3453040226d6fde9fb23ff8334d5e382
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_powerpc.deb
      Size/MD5 checksum:  1015372 c2e0c1e1026f7fd2053d2c09cab90be1

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_sparc.deb
      Size/MD5 checksum:  1015696 3a207988cadc086720029abf6a227954
    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1_sparc.deb
      Size/MD5 checksum:  1028208 bf6725e66a603d0652a6a987f737c64b


Debian GNU/Linux 3.0 alias woody
- - --------------------------------

  Woody was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel,
  powerpc, s390 and sparc.

  Source archives:

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b.orig.tar.gz
      Size/MD5 checksum:  2557510 053a10f76b871e3944c11c7776da7f7a
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2.diff.gz
      Size/MD5 checksum:    14143 0d4c52fb301bc17ddc2f4f5117bf020b
    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.1.dsc
      Size/MD5 checksum:     1307 19488ce4d65e93b7ca412a3f3a818581
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2.dsc
      Size/MD5 checksum:     1221 768cb74ff2df353a07739ceacde62fe1
    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.1.diff.gz
      Size/MD5 checksum:    87306 d4cced8e81fb4ad0bf005d5ae04387b3

  alpha architecture (DEC Alpha)

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_alpha.deb
      Size/MD5 checksum:  1610106 40e75977e49a5f96059129febf1e8bd7
    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.1_alpha.deb
      Size/MD5 checksum:  1617220 de2a07846520d29d8168624ecadb023d

  arm architecture (ARM)

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_arm.deb
      Size/MD5 checksum:  1487560 35f377be3b161fb8235d4a0a18982ce1
    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.1_arm.deb
      Size/MD5 checksum:  1491566 6e2605111b5dc7164b4db2c542fe2dde

  hppa architecture (HP PA RISC)

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_hppa.deb
      Size/MD5 checksum:  1555212 72b2a7385c8dd606107486349d7bed7a
    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.1_hppa.deb
      Size/MD5 checksum:  1559452 6cb03b8fbf8fa7a6eaaee52777a36737

  i386 architecture (Intel ia32)

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.1_i386.deb
      Size/MD5 checksum:  1449936 c0818c607e10ab576f463eab64267e2e
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_i386.deb
      Size/MD5 checksum:  1444654 c076ad1599549f031a50e220cecbedc1

  ia64 architecture (Intel ia64)

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_ia64.deb
      Size/MD5 checksum:  1762384 fb7e808dc23dcf5676f350ee5de99b65
    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.1_ia64.deb
      Size/MD5 checksum:  1769046 75740213ea49a9eb3bcba91e477f2f44

  m68k architecture (Motorola Mc680x0)

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_m68k.deb
      Size/MD5 checksum:  1405466 d0faf24997b42bb50ac6995cfb69f2f9

  mips architecture (MIPS (Big Endian))

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.1_mips.deb
      Size/MD5 checksum:  1511738 332f842adc76b43e6b89296605ea5932
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_mips.deb
      Size/MD5 checksum:  1507588 11722f38007efb06835c4092dad8489a

  mipsel architecture (MIPS (Little Endian))

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_mipsel.deb
      Size/MD5 checksum:  1503806 479ff36c446a959d2817234ec4c7f2b3
    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.1_mipsel.deb
      Size/MD5 checksum:  1507614 ffff3c5c89164dc560159852f09968a5

  powerpc architecture (PowerPC)

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.1_powerpc.deb
      Size/MD5 checksum:  1496782 ca05c2e570046afafb985a418d60c093
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_powerpc.deb
      Size/MD5 checksum:  1490836 e12d4c0dc846b538bd7484e70b8da9c8

  s390 architecture (IBM S/390)

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_s390.deb
      Size/MD5 checksum:  1453926 e728dd600feb2ebf07ee7e31196ea8da
    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.1_s390.deb
      Size/MD5 checksum:  1460742 6504cf5ee0e0feaf35b237b544873534

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.1_sparc.deb
      Size/MD5 checksum:  1497176 58f9a53667ef85fea0f0e1b07ff9c0e1
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_sparc.deb
      Size/MD5 checksum:  1492610 d987da73b4606999ec239d72ec00a30a

- - -- 
- - ----------------------------------------------------------------------------
Debian Security team <team@security.debian.org>
http://www.debian.org/security/
Mailing-List: debian-security-announce@lists.debian.org

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE9+R6iPLiSUC+jvC0RAumUAKCnCmPqeNaydB+wn7u8hpkdesm0zACeOx/i
+KPdCw5RNKljTnnRBTM00qM=
=Zb+W
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author\'s website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBPfngLCh9+71yA2DNAQEfHgP/VHHEhsTP97/l0dgOAw+zLev9FXRrp8cQ
9IWbOVuIvLHSyi9bXwUlcSCY5HQxWMJrb/zwACzWCB2VJmWwh4ZQ9sxCykSHi4D9
CVC8Ud/m1vsS3uN6hZlMvrE15/XJqLhMz7i5ge87F0KnEaNJTcE/26xGYK+z7cZM
EHZn0w2QZY0=
=jPhe
-----END PGP SIGNATURE-----