USN-1642-1: Lynx vulnerabilities
29 November 2012
Two security issues were fixed in Lynx.
Releases
Packages
- lynx-cur - Text-mode WWW Browser with NLS support
Details
Dan Rosenberg discovered a heap-based buffer overflow in Lynx. If a user
were tricked into opening a specially crafted page, a remote attacker could
cause a denial of service via application crash, or possibly execute
arbitrary code as the user invoking the program. This issue only affected
Ubuntu 10.04 LTS. (CVE-2010-2810)
It was discovered that Lynx did not properly verify that an HTTPS
certificate was signed by a trusted certificate authority. This could allow
an attacker to perform a "machine-in-the-middle" (MITM) attack which would make
the user believe their connection is secure, but is actually being
monitored. This update changes the behavior of Lynx such that self-signed
certificates no longer validate. Users requiring the previous behavior can
use the 'FORCE_SSL_PROMPT' option in lynx.cfg. (CVE-2012-5821)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 12.10
Ubuntu 12.04
Ubuntu 11.10
Ubuntu 10.04
In general, a standard system update will make all the necessary changes.