Lynx before 2.8.9dev.16 is vulnerable to a use after free in the HTML parser resulting in memory disclosure, because HTML.c:HTML_put_string() can append a chunk onto itself. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000211 http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000211.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000211 https://github.com/ThomasDickey/lynx-snapshots/commit/280a61b300a1614f6037efc0902ff7ecf17146e9
Created lynx tracking bugs for this issue: Affects: fedora-25 [bug 1522618] Affects: fedora-26 [bug 1522619]
It makes no sense to create tracking bugs for each release of Fedora separately when they both describe the same issue. Moreover, Fedora 25 will shortly reach EOL, so the f25 update would hardly ever reach stable update repositories...
Statement: This issue did not affect the versions of lynx as shipped with Red Hat Enterprise Linux 5 and 6. This issue affects the versions of lynx as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.