Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 664730 - CVE-2010-1677 CVE-2010-4524 MHonArc: multiple vulnerabilities [fedora-all]
Summary: CVE-2010-1677 CVE-2010-4524 MHonArc: multiple vulnerabilities [fedora-all]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: mhonarc
Version: 14
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: José Matos
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 667483 (view as bug list)
Depends On:
Blocks: CVE-2010-4524 CVE-2010-1677
TreeView+ depends on / blocked
 
Reported: 2010-12-21 14:06 UTC by Jan Lieskovsky
Modified: 2011-03-23 22:59 UTC (History)
6 users (show)

Fixed In Version: mhonarc-2.6.18-3.fc14
Doc Type: Release Note
Doc Text:
Clone Of:
: 666468 666470 (view as bug list)
Environment:
Last Closed: 2011-03-21 03:31:19 UTC
Type: ---


Attachments (Terms of Use)
patch for CVE-2010-4524 (1.21 KB, patch)
2010-12-31 00:55 UTC, Kurt Seifried
no flags Details | Diff
Update the spec file to the new upstream release (1.46 KB, patch)
2011-01-11 14:02 UTC, Jeff Schroeder
no flags Details | Diff
Update the spec file - Version 2 (1.46 KB, patch)
2011-01-11 14:06 UTC, Jeff Schroeder
no flags Details | Diff

Description Jan Lieskovsky 2010-12-21 14:06:29 UTC
This is an automatically created tracking bug!  It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.

For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.

For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs

When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.

Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=664718

Please note: this issue affects multiple supported versions of Fedora.
Only one tracking bug has been filed; please only close it when all
affected versions are fixed.


[bug automatically created by: add-tracking-bugs]

Comment 1 Kurt Seifried 2010-12-31 00:52:59 UTC
http://seclists.org/oss-sec/2010/q4/376

From: 	Earl Hood   	12/30/10 3:12 PM 	  	 
To: 	oss-security <oss-security@lists.openwall.com>
CC: 	"Steven M. Christey" <coley@linus.mitre.org>,"non customers" <non-customers@operamail.com>, jeff@jab.org,geissert@debian.org, vendor-sec@lst.de, mhonarc-dev@mhonarc.org
Subject: 	[oss-security] Fix for CVE-2010-4524 and CVE-2010-1677 ready for verfication
I've committed in a potential fix, and made a
snapshot build that should address the following
recent security issues:

  CVE-2010-4524
  CVE-2010-1677

Snapshot release is available at the following location:

  http://www.mhonarc.org/release/MHonArc/dist/

Any build dated 2010-12-30, or later, will contain the
fix.

I ask the interested parties verify that the fix addresses
concerns raised as I would like to make a formal release
as soon as possible.

Summary of fix:

  mhtxthtml.pl filter modified to reject any message with
  nested tags. This is invalid HTML, so any message
  that contains it would likely indicate a possible attack.

Whenever a formal, public, announcement of these vulnerabilities
are raise, please include link to the MHonArc FAQ that discusses
the security risks of HTML mail and how to disable HTML mail
in mhonarc archives:

  http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmldata
  http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmlexchow

This may be useful for users who may not be able to upgrade
to the latest release, but need a work-around solution to secure
their sites.

Thanks,

--ewh
-- 
Earl Hood, <earl@earlhood.com>
Web: <http://www.earlhood.com/>
PGP Public Key: <http://www.earlhood.com/gpgpubkey.txt>

Comment 2 Kurt Seifried 2010-12-31 00:55:47 UTC
Created attachment 471232 [details]
patch for CVE-2010-4524

diff -ru MHonArc-2.6.16 MHonArc-2010-12-30-snap > diff-ru.txt

Comment 3 Vincent Danen 2011-01-05 18:36:01 UTC
*** Bug 667483 has been marked as a duplicate of this bug. ***

Comment 4 Jeff Schroeder 2011-01-11 14:02:53 UTC
Created attachment 472817 [details]
Update the spec file to the new upstream release

Update mhonarc to the latest upstream version.

Comment 5 Jeff Schroeder 2011-01-11 14:06:06 UTC
Created attachment 472818 [details]
Update the spec file - Version 2

Version 2:
    - Escape %{version} in %changelog (thanks for the pointer kalev!)

Comment 6 Fedora Update System 2011-03-15 13:51:26 UTC
mhonarc-2.6.18-3.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/mhonarc-2.6.18-3.fc14

Comment 7 Fedora Update System 2011-03-15 13:53:32 UTC
mhonarc-2.6.18-3.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/mhonarc-2.6.18-3.fc15

Comment 8 Fedora Update System 2011-03-15 13:55:29 UTC
mhonarc-2.6.18-3.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/mhonarc-2.6.18-3.fc13

Comment 9 Fedora Update System 2011-03-21 03:31:08 UTC
mhonarc-2.6.18-3.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2011-03-23 22:49:55 UTC
mhonarc-2.6.18-3.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2011-03-23 22:59:41 UTC
mhonarc-2.6.18-3.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.