From owner-freebsd-security  Thu Mar 16  0:30:27 2000
Delivered-To: freebsd-security@freebsd.org
Received: from rins.st.ryukoku.ac.jp (rins.st.ryukoku.ac.jp [133.83.4.1])
	by hub.freebsd.org (Postfix) with ESMTP id 3E19C37BC4A
	for <freebsd-security@freebsd.org>; Thu, 16 Mar 2000 00:30:22 -0800 (PST)
	(envelope-from kjm@ideon.st.ryukoku.ac.jp)
Received: from ideon.st.ryukoku.ac.jp (ideon.st.ryukoku.ac.jp [133.83.36.5])
	by rins.st.ryukoku.ac.jp (8.9.3+3.2W/3.7W/RINS-1.9.6-NOSPAM) with ESMTP id RAA00482
	for <freebsd-security@freebsd.org>; Thu, 16 Mar 2000 17:30:20 +0900 (JST)
Received: from ideon.st.ryukoku.ac.jp (kjm@localhost [127.0.0.1])
	by ideon.st.ryukoku.ac.jp (8.9.3/3.7W/kjm-19990628) with ESMTP id RAA92794
	for <freebsd-security@freebsd.org>; Thu, 16 Mar 2000 17:30:20 +0900 (JST)
From: kjm@rins.ryukoku.ac.jp (KOJIMA Hajime)
To: freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:08.lynx
In-reply-to: Your message of "Wed, 15 Mar 2000 09:34:43 PST"
References: <20000315173443.F231737BA56@hub.freebsd.org>
Date: Thu, 16 Mar 2000 17:30:19 +0900
Message-ID: <92790.953195419@ideon.st.ryukoku.ac.jp>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In <20000315173443.F231737BA56@hub.freebsd.org>,
FreeBSD Security Officer wrote:
| FreeBSD-SA-00:08                                           Security Advisory
...
| Topic:		Lynx ports contain numerous buffer overflows
...
| II.  Problem Description
| 
| The lynx software is written in a very insecure style and contains numerous
| potential and several proven security vulnerabilities (publicized on the
| BugTraq mailing list) exploitable by a malicious server.
| 
| The lynx ports are not installed by default, nor are they "part of FreeBSD"
| as such: they are part of the FreeBSD ports collection, which contains over
| 3100 third-party applications in a ready-to-install format.

  But, /stand/sysinstall still use lynx as default text browser.
  If you want to read HTML documents in sysinstall, /stand/sysinstall
  will go to install lynx package automatically (and it will fail in
  4.0-RELEASE).   

---- from release/sysinstall/install.c revision 1.268:
    variable_set2(VAR_BROWSER_PACKAGE,          "lynx", 0);
    variable_set2(VAR_BROWSER_BINARY,           "/usr/local/bin/lynx", 0);
----

----
KOJIMA Hajime - Ryukoku University, Seta, Ootsu, Shiga, 520-2194 Japan
[Office] kjm@rins.ryukoku.ac.jp, http://www.st.ryukoku.ac.jp/~kjm/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message