lynx-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LYNX-DEV [Fwd: BoS: A vulnerability in Lynx (all versions)]


From: Scott McGee (Personal)
Subject: Re: LYNX-DEV [Fwd: BoS: A vulnerability in Lynx (all versions)]
Date: Thu, 8 May 1997 10:41:39 -0600

I can see people with space problems finding it difficult to use lynx if it
puts temp files under $HOME. Maybe the thing to do is to leave temp as is,
but within temp create a directory (with appropriate checks to enusre it is
not there already) with owner only permissions, then use that directory for
all temp files. We create it, so nobody can get in ahead of us, and we set
permission so that nobody can get in after creation. On exit, we just do a
recursive deletion of that directory.

This way, we make use of whatever directory the installer (individual user
or sysadmin) feels is most appropriate for temp space, but provide security
for it too.

I missed the talk of a CERT advisory, but if they are going to issue such,
I agree that we should get a fix in place, release the fixed version as
either 2.7.2 or 2.8 (depending on the code base and what Fote feels about
2.7.2), and let the CERT people announce the new version along with the
advisory.

This actually gets us several things. It lets people know that Lynx IS under
current development. It further tells them that we are security concious and
that Lynx reflects that. It buys us free advertising of the latest version.
And hopefully, it will get a "modern" version (post GPL and the move away
from UKANS) onto sites that may not bother otherwise. (The latter also helps
by moving more people to versions of Lynx that point at lynx.browser.org and
other "current" sources of help and information.)

Scott

Scott McGee: Salt Lake Community College Webmaster | When in danger,
___________________________________________________| or in doubt,
Email: address@hidden (Scott McGee)         | run in circles,
Web:   http://www.slcc.edu/infotech/webmaster.html | scream and shout.
----------------------------------------------------------------------
My opinions do not necessarily reflect those of the College. Trust me!
dp
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;

reply via email to

[Prev in Thread] Current Thread [Next in Thread]