Date: Thu, 30 Dec 2010 15:12:04 -0600 From: Earl Hood <earl@...lhood.com> To: oss-security <oss-security@...ts.openwall.com> cc: "Steven M. Christey" <coley@...us.mitre.org>, "non customers" <non-customers@...ramail.com>, jeff@....org, geissert@...ian.org, vendor-sec@....de, mhonarc-dev@...narc.org Subject: Fix for CVE-2010-4524 and CVE-2010-1677 ready for verfication I've committed in a potential fix, and made a snapshot build that should address the following recent security issues: CVE-2010-4524 CVE-2010-1677 Snapshot release is available at the following location: http://www.mhonarc.org/release/MHonArc/dist/ Any build dated 2010-12-30, or later, will contain the fix. I ask the interested parties verify that the fix addresses concerns raised as I would like to make a formal release as soon as possible. Summary of fix: mhtxthtml.pl filter modified to reject any message with nested tags. This is invalid HTML, so any message that contains it would likely indicate a possible attack. Whenever a formal, public, announcement of these vulnerabilities are raise, please include link to the MHonArc FAQ that discusses the security risks of HTML mail and how to disable HTML mail in mhonarc archives: http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmldata http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmlexchow This may be useful for users who may not be able to upgrade to the latest release, but need a work-around solution to secure their sites. Thanks, --ewh -- Earl Hood, <earl@...lhood.com> Web: <http://www.earlhood.com/> PGP Public Key: <http://www.earlhood.com/gpgpubkey.txt>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.