• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Lynx Command Line URL CRLF Injection Vulnerability

Solution:
ELinks 0.4pre15 is not vulnerable to this issue. Users of ELinks are urged to download and install the newest version of ELinks:

Conectiva has released an advisory (CLA-2003:720) to address this issue. Please see the attached advisory for further details regarding applying fixes. Fixes are linked below.

SCO has released a security advisory. Fixes for OpenLinux are available.

The Lynx patch is now available at a different location.

Debian has released an advisory (Debian Security Advisory DSA-210-1) which contains fixes. Please see the attached advisory for more details on obtaining fixes.

Red Hat has release advisory RHSA-2003:029-06 to address this issue.

OpenPKG has made fixes versions of their lynx package available. See referenced advisory for more details.

Sun has released a fix for Sun Linux 5.0.6.

The following fixes are available:


ELinks ELinks 0.2.4

• Elinks elinks-0.4pre15.tar.bz2
  http://elinks.or.cz/download/elinks-0.4pre15.tar.bz2

ELinks ELinks 0.3.2

• Elinks elinks-0.4pre15.tar.bz2
  http://elinks.or.cz/download/elinks-0.4pre15.tar.bz2

University of Kansas Lynx 2.8.3

• Debian lynx-ssl_2.8.3.1-1.1_alpha.deb
  Debian GNU/Linux 2.2 alias potato.
  http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3 .1-1.1_alpha.deb


• Debian lynx-ssl_2.8.3.1-1.1_arm.deb
  Debian GNU/Linux 2.2 alias potato.
  http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3 .1-1.1_arm.deb


• Debian lynx-ssl_2.8.3.1-1.1_i386.deb
  Debian GNU/Linux 2.2 alias potato.
  http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3 .1-1.1_i386.deb


• Debian lynx-ssl_2.8.3.1-1.1_m68k.deb
  Debian GNU/Linux 2.2 alias potato.
  http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3 .1-1.1_m68k.deb


• Debian lynx-ssl_2.8.3.1-1.1_powerpc.deb
  Debian GNU/Linux 2.2 alias potato.
  http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3 .1-1.1_powerpc.deb


• Debian lynx-ssl_2.8.3.1-1.1_sparc.deb
  Debian GNU/Linux 2.2 alias potato.
  http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3 .1-1.1_sparc.deb


• Debian lynx_2.8.3-1.1_alpha.deb
  Debian GNU/Linux 2.2 alias potato.
  http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_alp ha.deb


• Debian lynx_2.8.3-1.1_arm.deb
  Debian GNU/Linux 2.2 alias potato.
  http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_arm .deb


• Debian lynx_2.8.3-1.1_i386.deb
  Debian GNU/Linux 2.2 alias potato.
  http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_i38 6.deb


• Debian lynx_2.8.3-1.1_m68k.deb
  Debian GNU/Linux 2.2 alias potato.
  http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_m68 k.deb


• Debian lynx_2.8.3-1.1_powerpc.deb
  Debian GNU/Linux 2.2 alias potato.
  http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_pow erpc.deb


• Debian lynx_2.8.3-1.1_sparc.deb
  Debian GNU/Linux 2.2 alias potato.
  http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_spa rc.deb

University of Kansas Lynx 2.8.4

• Debian lynx-ssl_2.8.4.1b-3.1_alpha.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4 .1b-3.1_alpha.deb


• Debian lynx-ssl_2.8.4.1b-3.1_arm.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4 .1b-3.1_arm.deb


• Debian lynx-ssl_2.8.4.1b-3.1_hppa.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4 .1b-3.1_hppa.deb


• Debian lynx-ssl_2.8.4.1b-3.1_i386.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4 .1b-3.1_i386.deb


• Debian lynx-ssl_2.8.4.1b-3.1_ia64.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4 .1b-3.1_ia64.deb


• Debian lynx-ssl_2.8.4.1b-3.1_mips.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4 .1b-3.1_mips.deb


• Debian lynx-ssl_2.8.4.1b-3.1_mipsel.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4 .1b-3.1_mipsel.deb


• Debian lynx-ssl_2.8.4.1b-3.1_powerpc.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4 .1b-3.1_powerpc.deb


• Debian lynx-ssl_2.8.4.1b-3.1_s390.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4 .1b-3.1_s390.deb


• Debian lynx-ssl_2.8.4.1b-3.1_sparc.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4 .1b-3.1_sparc.deb


• Debian lynx_2.8.4.1b-3.2_alpha.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_ alpha.deb


• Debian lynx_2.8.4.1b-3.2_arm.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_ arm.deb


• Debian lynx_2.8.4.1b-3.2_hppa.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_ hppa.deb


• Debian lynx_2.8.4.1b-3.2_i386.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_ i386.deb


• Debian lynx_2.8.4.1b-3.2_m68k.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_ m68k.deb


• Debian lynx_2.8.4.1b-3.2_mips.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_ mips.deb


• Debian lynx_2.8.4.1b-3.2_mipsel.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_ mipsel.deb


• Debian lynx_2.8.4.1b-3.2_powerpc.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_ powerpc.deb


• Debian lynx_2.8.4.1b-3.2_s390.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_ s390.deb


• Debian lynx_2.8.4.1b-3.2_sparc.deb
  Debian GNU/Linux 3.0 alias woody.
  http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.2_ sparc.deb


• OpenPKG lynx-2.8.4-1.1.1.src.rpm
  ftp://ftp.openpkg.org/release/1.1/UPD/lynx-2.8.4-1.1.1.src.rpm


• Red Hat lynx-2.8.4-9.1.ppc.rpm
  ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/lynx-2.8.4-9.1.ppc.rpm


• Red Hat lynx-2.8.4-9.1.ppc.rpm
  ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/lynx-2.8.4-9.1.ppc.rpm


• Red Hat lynx-2.8.3-2.1.i386.rpm
  ftp://updates.redhat.com/6.2/en/os/i386/lynx-2.8.3-2.1.i386.rpm


• Red Hat lynx-2.8.4-18.1.i386.rpm
  ftp://updates.redhat.com/7.2/en/os/i386/lynx-2.8.4-18.1.i386.rpm


• Red Hat lynx-2.8.4-18.1.i386.rpm
  ftp://updates.redhat.com/7.3/en/os/i386/lynx-2.8.4-18.1.i386.rpm


• Red Hat lynx-2.8.4-18.1.ia64.rpm
  ftp://updates.redhat.com/7.2/en/os/ia64/lynx-2.8.4-18.1.ia64.rpm


• Red Hat lynx-2.8.4-9.1.i386.rpm
  ftp://updates.redhat.com/7.0/en/os/i386/lynx-2.8.4-9.1.i386.rpm


• Red Hat lynx-2.8.4-9.1.i386.rpm
  ftp://updates.redhat.com/7.1/en/os/i386/lynx-2.8.4-9.1.i386.rpm


• Red Hat lynx-2.8.5-7.1.i386.rpm
  ftp://updates.redhat.com/8.0/en/os/i386/lynx-2.8.5-7.1.i386.rpm


• SCO lynx-2.8.4-1.i386.rpm
  ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-049.0/R PMS


• SCO lynx-2.8.4-1.i386.rpm
  ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-04 9.0/RPMS


• SCO lynx-2.8.4-1.i386.rpm
  ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-049.0/RPM S


• SCO lynx-2.8.4-1.i386.rpm
  ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-049. 0/RPMS


• SCO lynx-2.8.4-1.src.rpm
  ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-049.0/S RPMS


• SCO lynx-2.8.4-1.src.rpm
  ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-04 9.0/SRPMS


• SCO lynx-2.8.4-1.src.rpm
  ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-049.0/SRP MS


• SCO lynx-2.8.4-1.src.rpm
  ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-049. 0/SRPMS


• Sun lynx-2.8.4-18.1.i386.rpm
  ftp://ftp.cobalt.sun.com/pub/products/sunlinux/5.0/en/updates/i386/RPM S/lynx-2.8.4-18.1.i386.rpm


• Trustix lynx-ssl-2.8.4-1tr.i586.rpm
  ftp://ftp.trustix.net/pub/Trustix/updates/1.1/RPMS/lynx-ssl-2.8.4-1tr. i586.rpm


• Trustix lynx-ssl-2.8.4-1tr.i586.rpm
  ftp://ftp.trustix.net/pub/Trustix/updates/1.2/RPMS/lynx-ssl-2.8.4-1tr. i586.rpm


• Trustix lynx-ssl-2.8.4-1tr.i586.rpm
  ftp://ftp.trustix.net/pub/Trustix/updates/1.5/RPMS/lynx-ssl-2.8.4-1tr. i586.rpm

University of Kansas Lynx 2.8.4 rel.1

• University of Kansas lynx2.8.4rel.1c.patch
  ftp://lynx.isc.org/lynx/lynx2.8.4/patches/lynx2.8.4rel.1c.patch

University of Kansas Lynx 2.8.5 dev.8

• MandrakeSoft lynx-2.8.5-0.10mdk.dev.8.i586.rpm
  Linux-Mandrake 7.2
  http://www.mandrakesecure.net/en/ftp.php


• MandrakeSoft lynx-2.8.5-0.10mdk.dev.8.i586.rpm
  Mandrake Linux 8.0
  http://www.mandrakesecure.net/en/ftp.php


• MandrakeSoft lynx-2.8.5-0.10mdk.dev.8.i586.rpm
  Mandrake Linux 8.1
  http://www.mandrakesecure.net/en/ftp.php


• MandrakeSoft lynx-2.8.5-0.10mdk.dev.8.i586.rpm
  Mandrake Linux 8.2
  http://www.mandrakesecure.net/en/ftp.php


• MandrakeSoft lynx-2.8.5-0.10mdk.dev.8.i586.rpm
  Mandrake Linux 9.0
  http://www.mandrakesecure.net/en/ftp.php


• MandrakeSoft lynx-2.8.5-0.10mdk.dev.8.i586.rpm
  Multi Network Firewall 8.2
  http://www.mandrakesecure.net/en/ftp.php


• MandrakeSoft lynx-2.8.5-0.10mdk.dev.8.i586.rpm
  Single Network Firewall 7.2
  http://www.mandrakesecure.net/en/ftp.php


• MandrakeSoft lynx-2.8.5-0.10mdk.dev.8.ia64.rpm
  Mandrake Linux 8.1/IA64
  http://www.mandrakesecure.net/en/ftp.php


• MandrakeSoft lynx-2.8.5-0.10mdk.dev.8.ppc.rpm
  Mandrake Linux 8.0/PPC
  http://www.mandrakesecure.net/en/ftp.php


• MandrakeSoft lynx-2.8.5-0.10mdk.dev.8.ppc.rpm
  Mandrake Linux 8.2/PPC
  http://www.mandrakesecure.net/en/ftp.php