[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Fix for CVE-2010-4524 and CVE-2010-1677 ready for verfication
From:       Earl Hood <earl () earlhood ! com>
Date:       2010-12-30 21:12:04
Message-ID: 4d1cf59f.26092a0a.1c22.ffff9576 () mx ! google ! com
[Download RAW message or body]

I've committed in a potential fix, and made a
snapshot build that should address the following
recent security issues:

  CVE-2010-4524
  CVE-2010-1677

Snapshot release is available at the following location:

  http://www.mhonarc.org/release/MHonArc/dist/

Any build dated 2010-12-30, or later, will contain the
fix.

I ask the interested parties verify that the fix addresses
concerns raised as I would like to make a formal release
as soon as possible.

Summary of fix:

  mhtxthtml.pl filter modified to reject any message with
  nested tags. This is invalid HTML, so any message
  that contains it would likely indicate a possible attack.

Whenever a formal, public, announcement of these vulnerabilities
are raise, please include link to the MHonArc FAQ that discusses
the security risks of HTML mail and how to disable HTML mail
in mhonarc archives:

  http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmldata
  http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmlexchow

This may be useful for users who may not be able to upgrade
to the latest release, but need a work-around solution to secure
their sites.

Thanks,

--ewh
-- 
Earl Hood, <earl@earlhood.com>
Web: <http://www.earlhood.com/>
PGP Public Key: <http://www.earlhood.com/gpgpubkey.txt>
[prev in list] [next in list] [prev in thread] [next in thread]