The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Security Update: [CSSA-2002-049.0] Linux: lynx CRLF injection vulnerability


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Mon, 18 Nov 2002 16:26:42 -0800
From: [email protected]
To: [email protected], [email protected],
Subject: Security Update: [CSSA-2002-049.0] Linux: lynx CRLF injection vulnerability

--L+ofChggJdETEG3Y
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

To: [email protected] [email protected] [email protected] [email protected]


______________________________________________________________________________

			SCO Security Advisory

Subject:		Linux: lynx CRLF injection vulnerability
Advisory number: 	CSSA-2002-049.0
Issue date: 		2002 November 18
Cross reference:
______________________________________________________________________________


1. Problem Description

	If lynx is given a url with some special characters on
	the command line, it will include faked headers in the HTTP
	query. This feature can be used to force scripts (that use Lynx
	for downloading files) to access the wrong site on a web server
	with multiple virtual hosts.


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------

	OpenLinux 3.1.1 Server		prior to lynx-2.8.4-1.i386.rpm

	OpenLinux 3.1.1 Workstation	prior to lynx-2.8.4-1.i386.rpm

	OpenLinux 3.1 Server		prior to lynx-2.8.4-1.i386.rpm

	OpenLinux 3.1 Workstation	prior to lynx-2.8.4-1.i386.rpm


3. Solution

	The proper solution is to install the latest packages. Many
	customers find it easier to use the Caldera System Updater, called
	cupdate (or kcupdate under the KDE environment), to update these
	packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-049.0/RPMS

	4.2 Packages

	86aa0c385c7b4789aa33fe57dc209490	lynx-2.8.4-1.i386.rpm

	4.3 Installation

	rpm -Fvh lynx-2.8.4-1.i386.rpm

	4.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-049.0/SRPMS

	4.5 Source Packages

	2b48e8130471668d9562fc10a5969d02	lynx-2.8.4-1.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-049.0/RPMS

	5.2 Packages

	bd467354192cc42c87abb4be5650749f	lynx-2.8.4-1.i386.rpm

	5.3 Installation

	rpm -Fvh lynx-2.8.4-1.i386.rpm

	5.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-049.0/SRPMS

	5.5 Source Packages

	cf32748b277276e5f43a6f4111bb1ff2	lynx-2.8.4-1.src.rpm


6. OpenLinux 3.1 Server

	6.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-049.0/RPMS

	6.2 Packages

	02bb0b77cf7f6014c6ad5a386e5bc763	lynx-2.8.4-1.i386.rpm

	6.3 Installation

	rpm -Fvh lynx-2.8.4-1.i386.rpm

	6.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-049.0/SRPMS

	6.5 Source Packages

	61828e229e2794c46376c95354c8859c	lynx-2.8.4-1.src.rpm


7. OpenLinux 3.1 Workstation

	7.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-049.0/RPMS

	7.2 Packages

	d0b3580c93c3790d88eb0c4d18a75e58	lynx-2.8.4-1.i386.rpm

	7.3 Installation

	rpm -Fvh lynx-2.8.4-1.i386.rpm

	7.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-049.0/SRPMS

	7.5 Source Packages

	2c321eabba1a1d8172893de42f58af59	lynx-2.8.4-1.src.rpm


8. References

	Specific references for this advisory:
		none

	SCO security resources:
		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr868660, fz525986,
	erg712118.


9. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers intended
	to promote secure installation and use of SCO products.


10. Acknowledgements

	SCO would like to thank Ulf Harnhammar for the discovery and
	analysis of this vulnerability.

______________________________________________________________________________

--L+ofChggJdETEG3Y
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj3ZhUIACgkQbluZssSXDTFNygCgmnS4g5fkEUSCnkd8vyq9WtXC
nbgAoO21y7RUBVTEwdTe0+fp8fR+YFBP
=Kp+N
-----END PGP SIGNATURE-----

--L+ofChggJdETEG3Y--

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру