Bugtraq mailing list archives
MH also vulnerable to remote attack (was Re: nmh security update)
From: dan-bugtraq () DILVISH SPEED NET (Dan Harkless)
Date: Thu, 2 Mar 2000 16:37:37 -0800
Ruud de Rooij <ruud () RUUD ORG> writes:
Versions prior to 1.0.3 of the nmh package contained a vulnerability where incoming mail messages with carefully designed MIME headers could cause nmh's mhshow command to execute arbitrary shell code. This bug has been fixed in nmh 1.0.3 and we encourage you to upgrade immediately. The fixed package is available at ftp://ftp.mhost.com/pub/nmh/nmh-1.0.3.tar.gz The MD5sum of nmh-1.0.3.tar.gz is 02519bf8f7ff8590ecfbee9f9500ea07.
Please note that the MIME-handling code with the security hole dates back to nmh's ancestor MH, so MH users (at least those using latter-day versions with MIME capability) are also strongly encouraged to upgrade to nmh 1.0.3. ---------------------------------------------------------------------- Dan Harkless | To prevent SPAM contamination, please dan-bugtraq () dilvish speed net | do not mention this private email SpeedGate Communications, Inc. | address in Usenet posts. Thank you.
Current thread:
- MH also vulnerable to remote attack (was Re: nmh security update) Dan Harkless (Mar 02)