Package: lynx Version: 2.8.9dev1-2 Severity: important Dear Maintainer,
The "http_proxy" variable is silently ignored! This is very dangerous, because a privoxy/tor user who relies on this setting for privacy will be compromised, and they generally will not even be aware of the compromise because the browser retrieves pages over an untrusted connection without warning. For example, suppose a tor user configures privoxy on port 8118. This will yield an exposed session: $ export http_proxy=http://localhost:8118 $ lynx To prove that this bug exists, a tor user can run: $ http_proxy=http://127.0.0.1:8118 lynx https://torstatus.blutmagie.de/ and see the message saying that the connection is not from the tor network. -- System Information: Debian Release: 8.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages lynx depends on: ii lynx-cur 2.8.9dev1-2+b1 lynx recommends no packages. lynx suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
