Re: LYNX-DEV new security bulletin drafts

[Jim Spath (Webmaster Jim)]

On Thu, 10 Jul 1997, Jonathan Sergent wrote:
> Can people please look at and comment on the version 3 drafts at
> http://www.io.com/~sergent/c/cert-index.html
> that I announced yesterday afternoon?  I haven't seen any hits on
> them at all!

I looked at them :-)

This sentence needs to be two sentences:

The FOTEMODS patches avoid any pre-existing filenames for new temporary 
files, thus skipping any symbolic link which may have been created with
an upcoming temporary filename, and allows the administrator or user to
                               ^- (These patches allow...)
define TEMP_SPACE (or the LYNX_TEMP_SPACE environment variable) as
"/tmp/$USER" (for example) for pre-existing directories that correspond
to accounts' usernames and have protections/ACLs set for access only by 
the appropriate users.

This is problematic:

  The next release of Lynx will eliminate this vulnerability, at
  which time this bulletin will be updated.

Instead of promising a bulletin revision, advise readers to subscribe
to *and read* the lynx-dev mailing list.

Before saying this:

  General questions about Lynx installation and usage should be
  sent to <address@hidden>.

Add:

  On-line help about Lynx is available using the 'h'elp key.  More help
is available in the source distributions.  Should your questions not
be answered by these means, ...

------
<http://www.cs.indiana.edu/picons/db/users/us/md/lib/bcpl/jspath/face.xbm>
Marvin the Paranoid Android says:
Why stop now just when I'm hating it?

;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;