USN-1642-1: Lynx vulnerabilities

Releases

• Ubuntu 12.10
• Ubuntu 12.04
• Ubuntu 11.10
• Ubuntu 10.04

Packages

• lynx-cur - Text-mode WWW Browser with NLS support

Details

Dan Rosenberg discovered a heap-based buffer overflow in Lynx. If a user
were tricked into opening a specially crafted page, a remote attacker could
cause a denial of service via application crash, or possibly execute
arbitrary code as the user invoking the program. This issue only affected
Ubuntu 10.04 LTS. (CVE-2010-2810)

It was discovered that Lynx did not properly verify that an HTTPS
certificate was signed by a trusted certificate authority. This could allow
an attacker to perform a "machine-in-the-middle" (MITM) attack which would make
the user believe their connection is secure, but is actually being
monitored. This update changes the behavior of Lynx such that self-signed
certificates no longer validate. Users requiring the previous behavior can
use the 'FORCE_SSL_PROMPT' option in lynx.cfg. (CVE-2012-5821)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 12.10

• lynx-cur - 2.8.8dev.12-2ubuntu0.1

Ubuntu 12.04

• lynx-cur - 2.8.8dev.9-2ubuntu0.12.04.1

Ubuntu 11.10

• lynx-cur - 2.8.8dev.9-2ubuntu0.11.10.1

Ubuntu 10.04

• lynx-cur - 2.8.8dev.2-1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References

• CVE-2010-2810
• CVE-2012-5821