[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LYNX-DEV new security bulletin drafts
From: |
Jim Spath (Webmaster Jim) |
Subject: |
Re: LYNX-DEV new security bulletin drafts |
Date: |
Sat, 12 Jul 1997 09:43:46 -0400 (EDT) |
On Fri, 11 Jul 1997, Jonathan Sergent wrote:
> Jim posted some changes to version 3 of the drafts.
...
> See version 4 of both bulletins, same place as before.
> Mail from here is really slow...
All right, I admit it, I'm a lousy editor... Here are some spelling and
style changes. The only substantive changes are mentioning that single
user systems are not affected by /tmp being writable, and where to
actually find some binaries.
FWIW, UNIX spell couldn't find "writeable" or "writable." My paper
dictionary has "writable."~
[Subir, you'll probably need to flag "fixed" binaries...]
----><----><----><----><----><----><----><----><----><----><----><----
* Bulletin 1 patches *
*** b1v4.t Sat Jul 12 09:07:48 1997
--- b1v5.t Sat Jul 12 09:28:08 1997
***************
*** 6,12 ****
the temporary file with a symbolic link or with another file.
Installed versions of Lynx where the /tmp directory is used to store
! files during download are vulnerable.
II. Impact
--- 6,13 ----
the temporary file with a symbolic link or with another file.
Installed versions of Lynx where the /tmp directory is used to store
! files during download are vulnerable. Systems operated by a single
! user (e.g., Linux or NetBSD) are not vulnerable.
II. Impact
***************
*** 53,63 ****
Lynx 2.7.1 will replace "~" in the temp. space allocation with the
path to the user's home directory.
! Individual users may also set the LYNX_TEMP_SPACE environment variable to
! point to another place known to be unwriteable by other users (for
instanc
! e
! a subdirectory of the users' home directory, or a mode 0700 directory of
a
! "sticky" /tmp).
To do this with Lynx 2.7.1 with the FOTEMODS patch set applied:
--- 54,63 ----
Lynx 2.7.1 will replace "~" in the temp. space allocation with the
path to the user's home directory.
! Individual users may also set the LYNX_TEMP_SPACE environment
! variable to point to another place known to be unwriteable by other
! users (for instance a subdirectory of the users' home directory, or a
! mode 0700 directory of a "sticky" /tmp).
To do this with Lynx 2.7.1 with the FOTEMODS patch set applied:
* Bulletin 2 patches *
*** b2v4.t Sat Jul 12 09:10:32 1997
--- b2v5.t Sat Jul 12 09:25:57 1997
***************
*** 1,7 ****
I. Description
Lynx, on Un*x systems, may be coerced to read or execute arbitrary
! files on the local system regardles of restrictions set by the
system administrator.
Installed versions of Lynx up to and including version 2.7.1 on Unix
--- 1,7 ----
I. Description
Lynx, on Un*x systems, may be coerced to read or execute arbitrary
! files on the local system regardless of restrictions set by the
system administrator.
Installed versions of Lynx up to and including version 2.7.1 on Unix
***************
*** 40,65 ****
IV. Solution
! Current developmental releases of lynx have fixed this problem since
1997-06-26. Patches you may find from before that date may not
! entirely elimintate the vulnerability.
The most recent stable version of Lynx (version 2.7.1) can be
patched to fix this problem by replacing the file "lynx2-7-1/src/LYDownload.c"
with a replacement file.
! The replacement file to eliminate this vulerability in version
2.7.1 is available (courtesy of Foteos Macrides) at:
http://www.slcc.edu/lynx/fote/patches/lynx2-7-1/src/LYDownload.c
All systems running Lynx versions 2.7.1 or earlier should be
updated to fix this problem.
! Two current developmental releases of lynx (which will be merged for
! the final release) are available at:
http://www.slcc.edu/lynx/fote/patches/
http://www.slcc.edu/lynx/current/
V. Contact information
--- 40,69 ----
IV. Solution
! Current developmental releases of Lynx have fixed this problem since
1997-06-26. Patches you may find from before that date may not
! entirely eliminate the vulnerability.
The most recent stable version of Lynx (version 2.7.1) can be
patched to fix this problem by replacing the file "lynx2-7-1/src/LYDownload.c"
with a replacement file.
! The replacement file to eliminate this vulnerability in version
2.7.1 is available (courtesy of Foteos Macrides) at:
http://www.slcc.edu/lynx/fote/patches/lynx2-7-1/src/LYDownload.c
All systems running Lynx versions 2.7.1 or earlier should be
updated to fix this problem.
! Two branches of Lynx source code are available at:
http://www.slcc.edu/lynx/fote/patches/
http://www.slcc.edu/lynx/current/
+ Binary distributions of Lynx may be found at:
+ http://www.crl.com/~subir/lynx/binaries.html
+
+ Note that producing binaries is a volunteer job and the latest (or any)
+ version may not be available for a specific platform.
V. Contact information
----><----><----><----><----><----><----><----><----><----><----><----
------
<http://www.cs.indiana.edu/picons/db/users/us/md/lib/bcpl/jspath/face.xbm>
Marvin the Paranoid Android says:
I'm not getting you down am I?
;
; To UNSUBSCRIBE: Send a mail message to address@hidden
; with "unsubscribe lynx-dev" (without the
; quotation marks) on a line by itself.
;