netbsd-bugs: pkg/19366: mhonarc package has cross-site-scripting vulnerabilities

Subject: pkg/19366: mhonarc package has cross-site-scripting vulnerabilities
To: None <gnats-bugs@gnats.netbsd.org>
From: Eric Gillespie <epg@pretzelnet.org>
List: netbsd-bugs
Date: 12/12/2002 16:48:47
>Number:         19366
>Category:       pkg
>Synopsis:       mhonarc package has cross-site-scripting vulnerabilities
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Dec 12 13:49:00 PST 2002
>Closed-Date:
>Last-Modified:
>Originator:     
>Release:        NetBSD 1.6
>Organization:
>Environment:
System: NetBSD wundagore.pretzelnet.org 1.6 NetBSD 1.6 ($Id: WUNDAGORE 435 2002-10-02 02:08:24Z epg $) #4: Sun Nov 24 15:22:10 EST 2002 epg@wundagore.pretzelnet.org:/usr/src/sys/arch/i386/compile/WUNDAGORE i386
Architecture: i386
Machine: i386
>Description:
The version of mhonarc in pkgsrc (2.5.11) contains cross-script-scripting
vulnerabilities.  No exploits are currently known for any of these.
>How-To-Repeat:
>Fix:
Upgrade to 2.5.13.  Summary of changes below the diff, see
CHANGES file for details.

Index: Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/mail/mhonarc/Makefile,v
retrieving revision 1.10
diff -a -u -r1.10 Makefile
--- Makefile	2002/08/23 01:48:26	1.10
+++ Makefile	2002/12/12 21:34:11
@@ -1,8 +1,8 @@
 # $NetBSD: Makefile,v 1.10 2002/08/23 01:48:26 grant Exp $
 #
 
-DISTNAME=	MHonArc2.5.11
-PKGNAME=	mhonarc-2.5.11
+DISTNAME=	MHonArc2.5.13
+PKGNAME=	mhonarc-2.5.13
 CATEGORIES=	mail
 MASTER_SITES=	http://www.oac.uci.edu/indiv/ehood/tar/ \
 		ftp://hhobel.phl.univie.ac.at/MHonArc/
Index: distinfo
===================================================================
RCS file: /cvsroot/pkgsrc/mail/mhonarc/distinfo,v
retrieving revision 1.6
diff -a -u -r1.6 distinfo
--- distinfo	2002/08/23 01:48:25	1.6
+++ distinfo	2002/12/12 21:34:11
@@ -1,4 +1,4 @@
 $NetBSD: distinfo,v 1.6 2002/08/23 01:48:25 grant Exp $
 
-SHA1 (MHonArc2.5.11.tar.bz2) = 65960e6cfe8056efacbd90936eb00d88ec9ddad5
-Size (MHonArc2.5.11.tar.bz2) = 467400 bytes
+SHA1 (MHonArc2.5.13.tar.bz2) = 1c4543c3b96091e47bae47efa0b9585c6496f8ac
+Size (MHonArc2.5.13.tar.bz2) = 476495 bytes

Changes from 2.5.12 to 2.5.13:

* DBFILE resource can now be set to an absolute pathname.
* readmail.pl updated to handle MHTML messages better.
* readmail.pl handling of malformed multipart messages improved.
* Fixed problem where some message attachments were "lost".
* Various bug-fixes and improvements to m2h_external::filter,
  most importantly, fixing cross-site-scripting holes.

Changes from 2.5.11 to 2.5.12:

* Strip more tags and attributes that could potentially be used for
  XSS exploits in the HTML filter.  This is a more of a preemptive
  change since no new exploits have been reported.
* DATEFIELDS resource now supports indexed field names.
>Release-Note:
>Audit-Trail:
>Unformatted: