Advisories | Mandriva

Package name	lynx
Date	October 28th, 2008
Advisory ID	MDVSA-2008:218
Affected versions	2008.0, 2008.1, 2009.0

Problem Description

A vulnerability was found in the Lynxcgi: URI handler that could allow
an attacker to create a web page redirecting to a malicious URL that
would execute arbitrary code as the user running Lynx, if they were
using the non-default Advanced user mode (CVE-2008-4690).

This update corrects these issues and, in addition, makes Lynx always
prompt the user before loading a lynxcgi: URI. As well, the default
lynx.cfg configuration file marks all lynxcgi: URIs as untrusted.

Updated Packages

Mandriva Linux 2008.0

 2a6a4130c12d3d45d926b49713420272  2008.0/i586/lynx-2.8.6-2.1mdv2008.0.i586.rpm 
 aa0ff44a80fa5b485b54f52d12b485f2  2008.0/SRPMS/lynx-2.8.6-2.1mdv2008.0.src.rpm

Mandriva Linux 2008.0/X86_64

 dcabb93ba8e48a0a96a632d2c8b11cb4  2008.0/x86_64/lynx-2.8.6-2.1mdv2008.0.x86_64.rpm 
 aa0ff44a80fa5b485b54f52d12b485f2  2008.0/SRPMS/lynx-2.8.6-2.1mdv2008.0.src.rpm

Mandriva Linux 2008.1

 1e04683750a061eecbe58c1b4fe7b173  2008.1/i586/lynx-2.8.6-2.1mdv2008.1.i586.rpm 
 68ddd2a1b9f991c11793a51dfbe9d9cb  2008.1/SRPMS/lynx-2.8.6-2.1mdv2008.1.src.rpm

Mandriva Linux 2008.1/X86_64

 3ae02ae07a01e65aa16e3317e2d7afb0  2008.1/x86_64/lynx-2.8.6-2.1mdv2008.1.x86_64.rpm 
 68ddd2a1b9f991c11793a51dfbe9d9cb  2008.1/SRPMS/lynx-2.8.6-2.1mdv2008.1.src.rpm

Mandriva Linux 2009.0

 65c1c0a4cf6a8758bc8506b9a7b1d3c4  2009.0/i586/lynx-2.8.6-2.1mdv2009.0.i586.rpm 
 0026bfc6799a2242afd794932ce0b5a8  2009.0/SRPMS/lynx-2.8.6-2.1mdv2009.0.src.rpm

Mandriva Linux 2009.0/X86_64

 0ad22b9ff40e6c7b8fc8ce25c4ef51cc  2009.0/x86_64/lynx-2.8.6-2.1mdv2009.0.x86_64.rpm 
 0026bfc6799a2242afd794932ce0b5a8  2009.0/SRPMS/lynx-2.8.6-2.1mdv2009.0.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4690

Upgrade

To upgrade automatically, use MandrivaUpdate.

Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

		rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.