Re: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability

[Stef Caunter]

Well it is clearly the same person who made the September reports, which did 
not discuss nntp or command execution. 
Seems he didn't bother to report his further findings to the list: it is not 
like we were hard to find back in September.

Google returns all of these on page one of a "lynx vulnerability" search:
seclists.org/lists/fulldisclosure/2005/Oct/0407.html
lists.grok.org.uk/pipermail/ full-disclosure/2005-October/038023.html
www.checksum.org/cso/message/4730.html 
www.insecure.org/sploits/lynx.download.html

Yet the last report from the source (of these apparently well-documented 
submissions to the above) to this list was received and fixed subsequent 
to Sept. 25, 2005, unless I am missing something.

Perhaps it is unreasonable to expect at least a follow up from the poster, or 
for the vulnerability database maintainers to find lynx.isc.org to publish a 
report to the current developer list?

Curious!

Stef

> > Any of this related to this thread? I see some Oct 17 2005 reports with the 
> > same name (we didn't get anything on the list), but nothing since.
>
> Not directly.  I think that what happened was that one of the people on the 
> other mailing list happened to read something about this one (which
> was being sent to long-obsolete mailing addresses).