Jude DaShiell | 28 May 18:08 2015
Picon

lynx and logjam

I checked earlier today and discovered lynx is vulnerable to the logjam 
hack even without javascript capability.  Most other browsers are likewise 
vulnerable so I got curious and checked it out for myself.

--

_______________________________________________
Lynx-dev mailing list
Lynx-dev <at> nongnu.org
https://lists.nongnu.org/mailman/listinfo/lynx-dev

Rudá Moura | 27 May 18:58 2015
Picon

Using user_mode = ADVANCED and running lynx throws 'pointer being freed was not allocated' on OS X

The discussion started here https://github.com/rudix-mac/rudix/issues/52
There's a patch attached that seems to fix the problem.

% lynx --version
Lynx Version 2.8.9dev.6 (06 May 2015)

% cat .lynxrc
user_mode = ADVANCED

% lynx
lynx(52571,0x7fff7d6e7300) malloc: *** error for object 0x7fa0a0d01911: pointer being freed was not allocated
*** set a breakpoint in malloc_error_break to debug
zsh: abort      lynx

% lldb lynx
(lldb) target create "lynx"
Current executable set to 'lynx' (x86_64).
(lldb) run
Process 52580 launched: '/usr/local/bin/lynx' (x86_64)
lynx(52580,0x7fff7d6e7300) malloc: *** error for object 0x100400ef1: pointer being freed was not allocated
*** set a breakpoint in malloc_error_break to debug
Process 52580 stopped
* thread #1: tid = 0x91a4f6, 0x00007fff8c618286 libsystem_kernel.dylib`__pthread_kill + 10, queue = 'com.apple.main-thread', stop reason = signal SIGABRT
    frame #0: 0x00007fff8c618286 libsystem_kernel.dylib`__pthread_kill + 10

libsystem_kernel.dylib`__pthread_kill:

->  0x7fff8c618286 <+10>: jae    0x7fff8c618290            ; <+20>
    0x7fff8c618288 <+12>: movq   %rax, %rdi
    0x7fff8c61828b <+15>: jmp    0x7fff8c613c53            ; cerror_nocancel
    0x7fff8c618290 <+20>: retq   

(lldb) bt

* thread #1: tid = 0x91a4f6, 0x00007fff8c618286 libsystem_kernel.dylib`__pthread_kill + 10, queue = 'com.apple.main-thread', stop reason = signal SIGABRT
  * frame #0: 0x00007fff8c618286 libsystem_kernel.dylib`__pthread_kill + 10
    frame #1: 0x00007fff9a4e242f libsystem_pthread.dylib`pthread_kill + 90
    frame #2: 0x00007fff933bdb53 libsystem_c.dylib`abort + 129
    frame #3: 0x00007fff90a46937 libsystem_malloc.dylib`free + 428
    frame #4: 0x0000000100054f48 lynx`LYsetRcValue + 841
    frame #5: 0x00000001000551ba lynx`read_rc + 356
    frame #6: 0x0000000100026676 lynx`main + 2388
    frame #7: 0x000000010000119c lynx`start + 52
(lldb) ^D

% lynx --version
Lynx Version 2.8.9dev.6 (06 May 2015)
libwww-FM 2.14, SSL-MM 1.4.1, OpenSSL 0.9.8zd, ncurses 5.7.20081102
Criado em darwin14.3.0 May 27 2015 13:30:59
...

--
Attachment (LYrcFile.c.patch): application/octet-stream, 709 bytes
_______________________________________________
Lynx-dev mailing list
Lynx-dev <at> nongnu.org
https://lists.nongnu.org/mailman/listinfo/lynx-dev
Hart Larry | 27 May 16:59 2015

Did Append Get Broken in dev6?

To my surprise, an append option is now missing in my print menu. The Unix 
account is running this latest version, while here at home in Debian I am still 
running dev5  and still have an append option. Since I save alot of 
news-articles by date, I find this option really helpful. My print menu now only 
has 4 items instead of maybe 11. Thanks so much in advance
Hart

_______________________________________________
Lynx-dev mailing list
Lynx-dev <at> nongnu.org
https://lists.nongnu.org/mailman/listinfo/lynx-dev

Federico Caprari | 22 May 12:25 2015
Picon

Fwd: Download link broken

As you can see the link for downloading lynx is broken, and the address web <at> lynx.browser.org is not anymore working. Did lynx still developing? 


---------- Forwarded message ----------
From: Federico Caprari <korsmakolnikov <at> gmail.com>
Date: 2015-05-22 12:23 GMT+02:00
Subject: Download link broken
To: web <at> lynx.browser.org


Hi, today I try to download lynx and the link was broken. 

Regards. 

_______________________________________________
Lynx-dev mailing list
Lynx-dev <at> nongnu.org
https://lists.nongnu.org/mailman/listinfo/lynx-dev
Matt Caswell | 19 May 18:02 2015
Picon

Re: SSLv23 method gone now


On 19/05/15 15:04, Thorsten Glaser wrote:
> Gisle Vanem dixit:
> 
>> +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
> 
> No. The change is not a property of the version number.
> I have OpenSSL 0.9.7 (plus patches…) without SSLv{2,3}.
> 
> Index: HTTP.c
> ===================================================================
> RCS file: /cvs/src/gnu/usr.bin/lynx/WWW/Library/Implementation/HTTP.c,v
> retrieving revision 1.26
> retrieving revision 1.27
> diff -u -p -r1.26 -r1.27
> --- HTTP.c      13 Mar 2014 04:46:43 -0000      1.26
> +++ HTTP.c      4 Jan 2015 22:24:27 -0000       1.27
>  <at>  <at>  -124,7 +124,11  <at>  <at>  SSL *HTGetSSLHandle(void)
>         ssl_opts &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
>  #endif
>         SSLeay_add_ssl_algorithms();
> +#if defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3)
> +       ssl_ctx = SSL_CTX_new(TLSv1_client_method());
> +#else
>         ssl_ctx = SSL_CTX_new(SSLv23_client_method());
> +#endif
>         SSL_CTX_set_options(ssl_ctx, ssl_opts);
>         SSL_CTX_set_default_verify_paths(ssl_ctx);
>         SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, HTSSLCallback);
> 
> This should do the trick.

This is not correct.

Despite their name the SSLv23_*method() functions have nothing to do
with the availability of SSLv2 or SSLv3. What these functions do is
negotiate with the peer the highest available SSL/TLS protocol version
available. The name is as it is for historic reasons. This is a very
common confusion and is the main reason why these names have been
deprecated in the latest dev version of OpenSSL.

The OP suggested this:

+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+       ssl_ctx = SSL_CTX_new(TLSv1_client_method());
+#else
        ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+#endif

This is not quite correct either. TLSv1_client_method() will force
TLS1.0 only. This is the correct approach:

+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+       ssl_ctx = SSL_CTX_new(TLS_client_method());
+#else
        ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+#endif

Alternatively you can continue to use the old SSLv23_client_method()
name - but if you do so you will have to enable deprecated functions.

Matt

_______________________________________________
Lynx-dev mailing list
Lynx-dev <at> nongnu.org
https://lists.nongnu.org/mailman/listinfo/lynx-dev
Gisle Vanem | 19 May 16:47 2015
Picon

SSLv23 method gone now

Seems OpenSSL is now moving ahead so fast it's breaking a
lot of applications. Now on Lynx/MSVC:
   www.lib(HTTP.obj) : error LNK2019: unresolved external symbol _SSLv23_client_method
   referenced in function _HTGetSSLHandle

What's the best fix for this now?

I just did this w/o actually knowing OpenSSL that well:

--- orig/WWW/Library/Implementation/http.c      2015-05-07 02:56:19 +0000
+++ WWW/Library/Implementation/http.c   2015-05-19 16:42:37 +0000
 <at>  <at>  -173,7 +173,11  <at>  <at> 
         X509_set_default_verify_paths(ssl_ctx->cert);
  #else
         SSLeay_add_ssl_algorithms();
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+       ssl_ctx = SSL_CTX_new(TLSv1_client_method());
+#else
         ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+#endif
  #ifdef SSL_OP_NO_SSLv2
         SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
  #else

---------------

But it seems to work. From:
   lynx https://www.ssllabs.com/ssltest/viewMyClient.html

Protocol Features
Protocols
  TLS 1.2 No
  TLS 1.1 No
  TLS 1.0 Yes*
  SSL 3   Yes*
  SSL 2   No

--

-- 
--gv

_______________________________________________
Lynx-dev mailing list
Lynx-dev <at> nongnu.org
https://lists.nongnu.org/mailman/listinfo/lynx-dev

henry atts | 17 May 06:49 2015
Picon

Building problem (charset, utf8?)

Hi,

as the stable/unstable versions of lynx-cur in the debian repos are
buggy (unable to make secure connections) I did build lynx myself:

Lynx Version 2.8.9dev.6 (06 May 2015)
libwww-FM 2.14, SSL-MM 1.4.1, OpenSSL 1.0.2a, ncurses 5.9.20140913
Built on linux-gnu May 17 2015 06:18:53

Making secure connections is possible (again) now but lynx lacks utf-8
support now. For example german umlauts are displayed like this

Forenübersicht is replaced by Foren-M-C~\bersicht

As far as I can see utf8 is the default option for `configure'.

Cheers,
henry

_______________________________________________
Lynx-dev mailing list
Lynx-dev <at> nongnu.org
https://lists.nongnu.org/mailman/listinfo/lynx-dev
Thorsten Glaser | 17 May 00:02 2015
Picon

bug: lynx parses <title> from SVG inside <body> as document <title> even outside of HTML <head>

Hi,

Subject says all, I know, but Subject is not the place for it, so:

Assume a document like this:

<html>
 <head>
  <title>foo</title>
 </head>
 <body>
  <div>
   <svg>
    <title>bar</title>
…

lynx uses “bar” as title (in the topmost screen line) mistakenly.

bye,
//mirabilos
--

-- 
>> Why don't you use JavaScript? I also don't like enabling JavaScript in
> Because I use lynx as browser.
+1
	-- Octavio Alvarez, me and ⡍⠁⠗⠊⠕ (Mario Lang) on debian-devel

_______________________________________________
Lynx-dev mailing list
Lynx-dev <at> nongnu.org
https://lists.nongnu.org/mailman/listinfo/lynx-dev
sylvain.bertrand | 14 May 00:43 2015
Picon

multipart/form-data file upload

Hi,

Any feedback/rumors or anything else, related to lynx and multipart/form-data file upload?
(just got bitten by bugzilla file upload)

best regards,

--

-- 
Sylvain

_______________________________________________
Lynx-dev mailing list
Lynx-dev <at> nongnu.org
https://lists.nongnu.org/mailman/listinfo/lynx-dev

Andreas Metzler | 11 May 19:09 2015
X-Face
Picon

gnutls priority string disables any signature algorithms and ertificate types

Hello,

lynx 2.8.9dev6 uses the following GnuTLS priority string:
NONE:+VERS-SSL3.0:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+CAMELLIA-256-CBC:+CAMELLIA-128-CBC:+3DES-CBC:+COMP-NULL:+DHE-RSA:+RSA:+DHE-DSS:+SHA1:+MD5

This any signature algorithms and ertificate types:

(SID)ametzler <at> argenau:~$ gnutls-cli
--priority=NONE:+VERS-SSL3.0:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+CAMELLIA-256-CBC:+CAMELLIA-128-CBC:+3DES-CBC:+COMP-NULL:+DHE-RSA:+RSA:+DHE-DSS:+SHA1:+MD5
-l | tail -n4
Protocols: VERS-SSL3.0, VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0
Compression: COMP-NULL
Elliptic curves: none
PK-signatures: none

Starting with GnuTLS 3.3.15 this causes connection failures, since now
GnuTLS was fixed to correctly check PK-signature algoritms
(GNUTLS-SA-2015-2). Connecting to e.g. www.kernel.org now fails.

As a hotfix +CTYPE-X.509:+SIGN-ALL could be added, however looking the
string I wonder whether it would not be better if lynx simple used
GnuTLS default settings with gnutls_set_default_priority() by default.
Optionally a configuration option allowing a user to specify an
alternate priority-string could be used.

I doubt that e.g. a deliberate choice was made to disable ECDHE and
SHA256 MAC when the priority string was hardcoded.

cu Andreas

--

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

_______________________________________________
Lynx-dev mailing list
Lynx-dev <at> nongnu.org
https://lists.nongnu.org/mailman/listinfo/lynx-dev

sylvain.bertrand | 11 May 15:33 2015
Picon

lynx sigwinch (terminal resizing)

Hi,

I use mlterm and lynx does not perform automatic resizing (mutt does).

2.8.9dev.6, ncurses 5.9.20150502(wide)

By design, not supported, compitation option?

regards,

--

-- 
Sylvain

_______________________________________________
Lynx-dev mailing list
Lynx-dev <at> nongnu.org
https://lists.nongnu.org/mailman/listinfo/lynx-dev