Bug 664730
Summary: | CVE-2010-1677 CVE-2010-4524 MHonArc: multiple vulnerabilities [fedora-all] | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jan Lieskovsky <jlieskov> | ||||||||
Component: | mhonarc | Assignee: | José Matos <jamatos> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | medium | ||||||||||
Version: | 14 | CC: | gerd, jamatos, kurt, tremble, uckelman, vdanen | ||||||||
Target Milestone: | --- | Keywords: | Security, SecurityTracking | ||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | mhonarc-2.6.18-3.fc14 | Doc Type: | Release Note | ||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | |||||||||||
: | 666468 666470 (view as bug list) | Environment: | |||||||||
Last Closed: | 2011-03-21 03:31:19 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | |||||||||||
Bug Blocks: | 664718, 667478 | ||||||||||
Attachments: |
|
Description
Jan Lieskovsky
2010-12-21 14:06:29 UTC
http://seclists.org/oss-sec/2010/q4/376 From: Earl Hood 12/30/10 3:12 PM To: oss-security <oss-security.com> CC: "Steven M. Christey" <coley.org>,"non customers" <non-customers>, jeff,geissert, vendor-sec, mhonarc-dev Subject: [oss-security] Fix for CVE-2010-4524 and CVE-2010-1677 ready for verfication I've committed in a potential fix, and made a snapshot build that should address the following recent security issues: CVE-2010-4524 CVE-2010-1677 Snapshot release is available at the following location: http://www.mhonarc.org/release/MHonArc/dist/ Any build dated 2010-12-30, or later, will contain the fix. I ask the interested parties verify that the fix addresses concerns raised as I would like to make a formal release as soon as possible. Summary of fix: mhtxthtml.pl filter modified to reject any message with nested tags. This is invalid HTML, so any message that contains it would likely indicate a possible attack. Whenever a formal, public, announcement of these vulnerabilities are raise, please include link to the MHonArc FAQ that discusses the security risks of HTML mail and how to disable HTML mail in mhonarc archives: http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmldata http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmlexchow This may be useful for users who may not be able to upgrade to the latest release, but need a work-around solution to secure their sites. Thanks, --ewh -- Earl Hood, <earl> Web: <http://www.earlhood.com/> PGP Public Key: <http://www.earlhood.com/gpgpubkey.txt> Created attachment 471232 [details] patch for CVE-2010-4524 diff -ru MHonArc-2.6.16 MHonArc-2010-12-30-snap > diff-ru.txt *** Bug 667483 has been marked as a duplicate of this bug. *** Created attachment 472817 [details]
Update the spec file to the new upstream release
Update mhonarc to the latest upstream version.
Created attachment 472818 [details]
Update the spec file - Version 2
Version 2:
- Escape %{version} in %changelog (thanks for the pointer kalev!)
mhonarc-2.6.18-3.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/mhonarc-2.6.18-3.fc14 mhonarc-2.6.18-3.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/mhonarc-2.6.18-3.fc15 mhonarc-2.6.18-3.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/mhonarc-2.6.18-3.fc13 mhonarc-2.6.18-3.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. mhonarc-2.6.18-3.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. mhonarc-2.6.18-3.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. |