Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 807073 (CVE-2021-38165) - <www-client/lynx-2.9.0_pre9: cleartext credential transmission (CVE-2021-38165)
Summary: <www-client/lynx-2.9.0_pre9: cleartext credential transmission (CVE-2021-38165)
Alias: CVE-2021-38165
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa?]
Depends on: 813252
  Show dependency tree
Reported: 2021-08-07 23:54 UTC by John Helmert III
Modified: 2023-11-09 06:32 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-07 23:54:28 UTC

Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows remote attackers to discover cleartext credentials because they may appear in SNI data.

Fix is in 2.9.0dev.9.
Comment 1 Larry the Git Cow gentoo-dev 2021-08-29 22:22:19 UTC
The bug has been referenced in the following commit(s):

commit 602cfa4ff490b20c9aacb710d53855b9727b9f86
Author:     John Helmert III <>
AuthorDate: 2021-08-29 22:13:32 +0000
Commit:     John Helmert III <>
CommitDate: 2021-08-29 22:22:04 +0000

    www-client/lynx: add 2.9.0_pre9
    Also update patches, bump to EAPI=8, drop USE={unicode,ipv6}.
    Signed-off-by: John Helmert III <>

 www-client/lynx/Manifest                           |  1 +
 www-client/lynx/files/lynx-2.9.0_pre9-mint.patch   | 11 +++
 .../lynx/files/lynx-2.9.0_pre9-parallel.patch      | 69 +++++++++++++++
 www-client/lynx/lynx-2.9.0_pre9.ebuild             | 98 ++++++++++++++++++++++
 4 files changed, 179 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-29 22:26:35 UTC
Let's give it a little time to stew.

Note the ebuild maps pre ebuilds to upstream's dev releases:

case ${PV} in
    *_pre*) MY_P="${PN}${PV/_pre/dev.}" ;;
    *_rc*)  MY_P="${PN}${PV/_rc/pre.}" ;;
    *_p*|*) MY_P="${PN}${PV/_p/rel.}" ;;