Login
Newsletter
Werbung

Sicherheit: Zwei Probleme in lynx
Aktuelle Meldungen Distributionen
Name: Zwei Probleme in lynx
ID: MDVSA-2008:217
Distribution: Mandriva
Plattformen: Mandriva Corporate 3.0, Mandriva Multi Network Firewall 2.0, Mandriva Corporate 4.0
Datum: Di, 28. Oktober 2008, 21:45
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7234
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4690
Applikationen: Lynx

Originalnachricht

This is a multi-part message in MIME format...

------------=_1225226719-14940-1568


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2008:217
http://www.mandriva.com/security/
_______________________________________________________________________

Package : lynx
Date : October 28, 2008
Affected: Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0
_______________________________________________________________________

Problem Description:

A flaw was found in the way Lynx handled .mailcap and .mime.types
configuration files. If these files were present in the current
working directory, they would be loaded prior to similar files in
the user's home directory. This could allow a local attacker to
possibly execute arbitrary code as the user running Lynx, if they
could convince the user to run Lynx in a directory under their control
(CVE-2006-7234).

A vulnerability was found in the Lynxcgi: URI handler that could allow
an attacker to create a web page redirecting to a malicious URL that
would execute arbitrary code as the user running Lynx, if they were
using the non-default Advanced user mode (CVE-2008-4690).

This update corrects these issues and, in addition, makes Lynx always
prompt the user before loading a lynxcgi: URI. As well, the default
lynx.cfg configuration file marks all lynxcgi: URIs as untrusted.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7234
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4690
_______________________________________________________________________

Updated Packages:

Corporate 3.0:
52caf1fa68f721262582a92b206d37cd
corporate/3.0/i586/lynx-2.8.5-1.4.C30mdk.i586.rpm
3c047c7623e2225f8756b0c5bafda34d
corporate/3.0/SRPMS/lynx-2.8.5-1.4.C30mdk.src.rpm

Corporate 3.0/X86_64:
5cb50d077a5e7e7e0a013a2587d56c18
corporate/3.0/x86_64/lynx-2.8.5-1.4.C30mdk.x86_64.rpm
3c047c7623e2225f8756b0c5bafda34d
corporate/3.0/SRPMS/lynx-2.8.5-1.4.C30mdk.src.rpm

Corporate 4.0:
e1759c02ffc4435cd36344c6e5739a0f
corporate/4.0/i586/lynx-2.8.5-4.4.20060mlcs4.i586.rpm
18e40caa595ef9220aef5d988c656ef4
corporate/4.0/SRPMS/lynx-2.8.5-4.4.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
4c89dec9780616b58132b4632f81ec38
corporate/4.0/x86_64/lynx-2.8.5-4.4.20060mlcs4.x86_64.rpm
18e40caa595ef9220aef5d988c656ef4
corporate/4.0/SRPMS/lynx-2.8.5-4.4.20060mlcs4.src.rpm

Multi Network Firewall 2.0:
b7f3f30424e5ce4c4592f1ec0ff70e04 mnf/2.0/i586/lynx-2.8.5-1.4.C30mdk.i586.rpm
5cabc724908b48f46f7eb039390db4d0 mnf/2.0/SRPMS/lynx-2.8.5-1.4.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJB06HmqjQ0CJFipgRAuS9AJ9pVisSYqgyYI0jhG3FEX0cPK5bxACfe6Ry
YAnREqCMTMmC2VYPrYF2Hlw=
=/vjO
-----END PGP SIGNATURE-----


------------=_1225226719-14940-1568
Content-Type: text/plain; name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://www.mandrivastore.com
Join the Club : http://www.mandrivaclub.com
_______________________________________________________

------------=_1225226719-14940-1568--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung