Lynx -vulnerabilities- is this permanent?
Foxfair Hu
foxfair at drago.fomokka.net
Thu Apr 19 02:21:31 UTC 2007
Lowell Gilbert wrote:
> David Southwell <david at vizion2000.net> writes:
>
>> portupgrade -a produces following output for lynx on cvsup from today.
>> freebsd 6.1
>> -----------------------------------------
>> ---> Upgrading 'lynx-2.8.5_2' to 'lynx-2.8.6_4' (www/lynx)
>> ---> Building '/usr/ports/www/lynx'
>> ===> Cleaning for lynx-2.8.6_4
>> ===> lynx-2.8.6_4 has known vulnerabilities:
>> => lynx -- remote buffer overflow.
>> Reference:
>> <http://www.FreeBSD.org/ports/portaudit/c01170bf-4990-11da-a1b8-000854d03344.html>
>> => Please update your ports tree and try again.
>> *** Error code 1
>>
>> Stop in /usr/ports/www/lynx.
>>
>> Any news or advice forthcoming?
>
> That doesn't *seem* to be applicable to the current version.
> It looks like a version-number parsing problem producing a false warning.
> I don't have access to my build machine to check more closely, though...
>
> .
>
Definitely a false alert, lynx 2.8.5rel4 had fixed the problem, and it
was rev1.112 of Makefile
in www/lynx. If no one objects, I'll put this diff to prevent portaudit
send wrong warning again:
-------------- next part --------------
--- /usr/ports/www/lynx/Makefile Mon Apr 16 00:04:47 2007
+++ ./Makefile Thu Apr 19 10:06:59 2007
@@ -7,11 +7,11 @@
PORTNAME= lynx
PORTVERSION= 2.8.6
-PORTREVISION= 4
+PORTREVISION= 5
CATEGORIES= www ipv6
MASTER_SITES= http://lynx.isc.org/current/ \
ftp://lynx.isc.org/lynx${PORTVERSION}/patches/:patches
-DISTNAME= ${PORTNAME}${PORTVERSION}rel.${PORTREVISION}
+DISTNAME= ${PORTNAME}${PORTVERSION}rel.4
MAINTAINER?= jharris at widomaker.com
COMMENT?= A non-graphical, text-based World-Wide Web client
@@ -28,6 +28,9 @@
.if defined(ENABLE_DEFAULT_COLORS)
CONFIGURE_ARGS+=--enable-default-colors
.endif
+
+# CVE-2005-3120 was fixed in lynx 2.8.5rel4
+DISABLE_VULNERABILITIES= YES
MAKE_ARGS= helpdir=${L_HELP} docdir=${DOCSDIR}
MAKEFILE= makefile
More information about the freebsd-ports
mailing list