--------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated lynx package fixes security issues Advisory ID: FLSA:152832 Issue date: 2005-12-17 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-2929 CVE-2005-3120 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: An updated lynx package that corrects security issues is now available. Lynx is a text-based Web browser. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: An arbitrary command execute bug was found in the lynx "lynxcgi:" URI handler. An attacker could create a web page redirecting to a malicious URL which could execute arbitrary code as the user running lynx. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2929 to this issue. Ulf Harnhammar discovered a stack overflow bug in Lynx when handling connections to NNTP (news) servers. An attacker could create a web page redirecting to a malicious news server which could execute arbitrary code as the user running lynx. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3120 to this issue. Users should update to this erratum package, which contains backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152832 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/ i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/ Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/ i386: http://download.fedoralegacy.org/redhat/9/updates/i386/ Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/ i386: http://download.fedoralegacy.org/fedora/1/updates/i386/ Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/ i386: http://download.fedoralegacy.org/fedora/2/updates/i386/ 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- f90ed394ffb119c628f30cbe24af00980e21ddec redhat/7.3/updates/i386/lynx-2.8.4-18.3.legacy.i386.rpm ae6eccd737ca25bd411bffb3db5a4ae46b512a0f redhat/7.3/updates/SRPMS/lynx-2.8.4-18.3.legacy.src.rpm e3f8bdd24f77bd9122afe9550b1711ec39580c30 redhat/9/updates/i386/lynx-2.8.5-11.2.legacy.i386.rpm e6f6f18d22595b977964b03e4f820ef4c259faf4 redhat/9/updates/SRPMS/lynx-2.8.5-11.2.legacy.src.rpm f9a79fc5425d1d853614c53c1ab158c9328c3078 fedora/1/updates/i386/lynx-2.8.5-13.2.legacy.i386.rpm 6711308acdcff88c914cda153f0862253efa0b67 fedora/1/updates/SRPMS/lynx-2.8.5-13.2.legacy.src.rpm ff7d68c03bbe5cbeac076e5153dc964b8900a8d5 fedora/2/updates/i386/lynx-2.8.5-15.2.legacy.i386.rpm e46bb7466177677c5a6032fcef7a71bc55145984 fedora/2/updates/SRPMS/lynx-2.8.5-15.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2929 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3120 9. Contact: The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More project details at http://www.fedoralegacy.org ---------------------------------------------------------------------
Attachment:
signature.asc
Description: OpenPGP digital signature