+ # Bug-32014 (CVE-2010-1677): Prevents DoS if massively nested. --- Additional comment from kurt on 2010-12-30 19:52:59 EST --- http://seclists.org/oss-sec/2010/q4/376 From: Earl Hood 12/30/10 3:12 PM To: oss-security <oss-security.com> CC: "Steven M. Christey" <coley.org>,"non customers" <non-customers>, jeff,geissert, vendor-sec, mhonarc-dev Subject: [oss-security] Fix for CVE-2010-4524 and CVE-2010-1677 ready for verfication I've committed in a potential fix, and made a snapshot build that should address the following recent security issues: CVE-2010-4524 CVE-2010-1677 Snapshot release is available at the following location: http://www.mhonarc.org/release/MHonArc/dist/ Any build dated 2010-12-30, or later, will contain the fix. I ask the interested parties verify that the fix addresses concerns raised as I would like to make a formal release as soon as possible. Summary of fix: mhtxthtml.pl filter modified to reject any message with nested tags. This is invalid HTML, so any message that contains it would likely indicate a possible attack. Whenever a formal, public, announcement of these vulnerabilities are raise, please include link to the MHonArc FAQ that discusses the security risks of HTML mail and how to disable HTML mail in mhonarc archives: http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmldata http://www.mhonarc.org/MHonArc/doc/faq/security.html#htmlexchow This may be useful for users who may not be able to upgrade to the latest release, but need a work-around solution to secure their sites. Thanks, --ewh -- Earl Hood, <earl> Web: <http://www.earlhood.com/> PGP Public Key: <http://www.earlhood.com/gpgpubkey.txt> --- Additional comment from kurt on 2010-12-30 19:55:47 EST --- Created attachment 471232 [details] patch for CVE-2010-4524 diff -ru MHonArc-2.6.16 MHonArc-2010-12-30-snap > diff-ru.txt
*** This bug has been marked as a duplicate of bug 667483 ***