Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 30 Dec 2010 15:12:04 -0600
From: Earl Hood <>
To: oss-security <>
cc: "Steven M. Christey" <>,
    "non customers" <>,,,,
Subject: Fix for CVE-2010-4524 and CVE-2010-1677 ready for verfication

I've committed in a potential fix, and made a
snapshot build that should address the following
recent security issues:


Snapshot release is available at the following location:

Any build dated 2010-12-30, or later, will contain the

I ask the interested parties verify that the fix addresses
concerns raised as I would like to make a formal release
as soon as possible.

Summary of fix: filter modified to reject any message with
  nested tags. This is invalid HTML, so any message
  that contains it would likely indicate a possible attack.

Whenever a formal, public, announcement of these vulnerabilities
are raise, please include link to the MHonArc FAQ that discusses
the security risks of HTML mail and how to disable HTML mail
in mhonarc archives:

This may be useful for users who may not be able to upgrade
to the latest release, but need a work-around solution to secure
their sites.


Earl Hood, <>
Web: <>
PGP Public Key: <>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.