[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mhonarc
Subject:    Re: [approved] 2.5.3 security question
From:       Earl Hood <earl () earlhood ! com>
Date:       2002-08-25 1:19:25
[Download RAW message or body]

On August 24, 2002 at 03:11, Jeff Breidenbach wrote:

> I'm wearing my debian package maintainer hat at the moment.
> 
> How serious are the security issues with MHonArc 2.5.3? Debian is
> shipping 2.5.3 in our stable branch, which we generally don't mess
> with except for security problems. The release notes indicate
> that 2.5.3 has some vulnerabilities.
> 
> Do MHonArc developers recommend we issue an advisory and take action
> (provide a newer MHonArc or backport a security fix?)  Or is the
> particular problem not such a big deal?

v2.5.3 actually included some additional filtering to minimize
XSS vulnerabilities in HTML messages.  The CAUTION in v2.5.3 just
states that HTML messages should be treated as possible security
problems and no guarantee is provided for the default HTML filtering
capabilities in MHonArc to prevent all XSS exploits.

--ewh

---------------------------------------------------------------------
To sign-off this list, send email to majordomo@mhonarc.org with the
message text UNSUBSCRIBE MHONARC-USERS

[prev in list] [next in list] [prev in thread] [next in thread]