COMMAND

    lynx

SYSTEMS AFFECTED

    all Linux distributions using lynx-2.8.2 and older

PROBLEM

    Following is based on SuSE Security Announcement.  A security hole
    was discovered in the package  mentioned above.  Please update  as
    soon as  possible or  disable the  service if  you are  using this
    software  on  your  SuSE   Linux  installation(s).   Other   Linux
    distributions  or  operating  systems  might  be affected as well,
    please contact your vendor for information about this issue.

    When lynx calls external programs for protocols (e.g. telnet), the
    location  is  passed  unchecked.  This  can  be  used  to activate
    commandline parameters.  For example, this reference

        <A HREF="telnet://-n.rhosts">click me</A>

    would activate the  tracefile options on  the telnet client,  with
    the result, that a .rhosts in the current directory would  created
    or  overwritten.   Depending  on  the  external programs called by
    lynx, files can be created  or truncated, or even remote  commands
    being executed if e.g. ssh or rsh would be configured in lynx.

SOLUTION

    Updated the lynx package.   For SuSE You will  find the update  on
    their ftp-Server:

        ftp://ftp.suse.com/pub/suse/i386/update/5.3/n1/lynx-2.8.3dev9-76.i386.rpm
        ftp://ftp.suse.com/pub/suse/axp/update/6.1/n1/lynx-2.8.3dev9-76.alpha.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/6.1/n1/lynx-2.8.3dev9-76.i386.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/6.2/n1/lynx-2.8.3dev9-76.i386.rpm

    Webpage for patches:

        http://www.suse.de/patches/index.html