This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected Fedora versions. For comments that are specific to the vulnerability please use bugs filed against "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When creating a Bodhi update request, please include the bug IDs of the respective parent bugs filed against the "Security Response" product. Please mention CVE ids in the RPM changelog when available. Bodhi update submission link: https://admin.fedoraproject.org/updates/new/?type_=security&bugs=664718 Please note: this issue affects multiple supported versions of Fedora. Only one tracking bug has been filed; please only close it when all affected versions are fixed. [bug automatically created by: add-tracking-bugs]
http://seclists.org/oss-sec/2010/q4/376 From: Earl Hood 12/30/10 3:12 PM To: oss-security <oss-security.com> CC: "Steven M. Christey" <coley.org>,"non customers" <non-customers>, jeff,geissert, vendor-sec, mhonarc-dev Subject: [oss-security] Fix for CVE-2010-4524 and CVE-2010-1677 ready for verfication I've committed in a potential fix, and made a snapshot build that should address the following recent security issues: CVE-2010-4524 CVE-2010-1677 Snapshot release is available at the following location: http://www.mhonarc.org/release/MHonArc/dist/ Any build dated 2010-12-30, or later, will contain the fix. I ask the interested parties verify that the fix addresses concerns raised as I would like to make a formal release as soon as possible. Summary of fix: mhtxthtml.pl filter modified to reject any message with nested tags. This is invalid HTML, so any message that contains it would likely indicate a possible attack. Whenever a formal, public, announcement of these vulnerabilities are raise, please include link to the MHonArc FAQ that discusses the security risks of HTML mail and how to disable HTML mail in mhonarc archives: http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmldata http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmlexchow This may be useful for users who may not be able to upgrade to the latest release, but need a work-around solution to secure their sites. Thanks, --ewh -- Earl Hood, <earl> Web: <http://www.earlhood.com/> PGP Public Key: <http://www.earlhood.com/gpgpubkey.txt>
Created attachment 471232 [details] patch for CVE-2010-4524 diff -ru MHonArc-2.6.16 MHonArc-2010-12-30-snap > diff-ru.txt
*** Bug 667483 has been marked as a duplicate of this bug. ***
Created attachment 472817 [details] Update the spec file to the new upstream release Update mhonarc to the latest upstream version.
Created attachment 472818 [details] Update the spec file - Version 2 Version 2: - Escape %{version} in %changelog (thanks for the pointer kalev!)
mhonarc-2.6.18-3.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/mhonarc-2.6.18-3.fc14
mhonarc-2.6.18-3.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/mhonarc-2.6.18-3.fc15
mhonarc-2.6.18-3.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/mhonarc-2.6.18-3.fc13
mhonarc-2.6.18-3.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
mhonarc-2.6.18-3.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
mhonarc-2.6.18-3.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.