Bug 666468 - Bug 664730 - MHonArc: Improper escaping of certain HTML sequences (XSS) [fedora-all]
Summary: Bug 664730 - MHonArc: Improper escaping of certain HTML sequences (XSS) [fedo...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: m17n-db
Version: 5.8
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Parag Nemade
QA Contact: QE Internationalization Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-31 00:59 UTC by Kurt Seifried
Modified: 2011-02-01 07:17 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 664730
Environment:
Last Closed: 2011-02-01 07:17:55 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Kurt Seifried 2010-12-31 00:59:06 UTC 
+++ This bug was initially created as a clone of Bug #664730 +++


This is an automatically created tracking bug!  It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.

For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.

For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs

When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.

Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=664718

Please note: this issue affects multiple supported versions of Fedora.
Only one tracking bug has been filed; please only close it when all
affected versions are fixed.


[bug automatically created by: add-tracking-bugs]

--- Additional comment from kurt on 2010-12-30 19:52:59 EST ---

http://seclists.org/oss-sec/2010/q4/376

From: 	Earl Hood   	12/30/10 3:12 PM 	  	 
To: 	oss-security <oss-security.com>
CC: 	"Steven M. Christey" <coley.org>,"non customers" <non-customers>, jeff,geissert, vendor-sec, mhonarc-dev
Subject: 	[oss-security] Fix for CVE-2010-4524 and CVE-2010-1677 ready for verfication
I've committed in a potential fix, and made a
snapshot build that should address the following
recent security issues:

  CVE-2010-4524
  CVE-2010-1677

Snapshot release is available at the following location:

  http://www.mhonarc.org/release/MHonArc/dist/

Any build dated 2010-12-30, or later, will contain the
fix.

I ask the interested parties verify that the fix addresses
concerns raised as I would like to make a formal release
as soon as possible.

Summary of fix:

  mhtxthtml.pl filter modified to reject any message with
  nested tags. This is invalid HTML, so any message
  that contains it would likely indicate a possible attack.

Whenever a formal, public, announcement of these vulnerabilities
are raise, please include link to the MHonArc FAQ that discusses
the security risks of HTML mail and how to disable HTML mail
in mhonarc archives:

  http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmldata
  http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmlexchow

This may be useful for users who may not be able to upgrade
to the latest release, but need a work-around solution to secure
their sites.

Thanks,

--ewh
-- 
Earl Hood, <earl>
Web: <http://www.earlhood.com/>
PGP Public Key: <http://www.earlhood.com/gpgpubkey.txt>

--- Additional comment from kurt on 2010-12-30 19:55:47 EST ---

Created attachment 471232 [details]
patch for CVE-2010-4524

diff -ru MHonArc-2.6.16 MHonArc-2010-12-30-snap > diff-ru.txt
Comment 1 Parag Nemade 2011-02-01 07:14:04 UTC 
How can above bug be related to m17n-db?
Comment 2 Parag Nemade 2011-02-01 07:17:55 UTC 
looks MHonArc is not in RHEL5
Note You need to log in before you can comment on or make changes to this bug.