MH also vulnerable to remote attack (was Re: nmh security update)

[dan-bugtraq () DILVISH SPEED NET (Dan Harkless)]

Ruud de Rooij <ruud () RUUD ORG> writes:
> Versions prior to 1.0.3 of the nmh package contained a vulnerability
> where incoming mail messages with carefully designed MIME headers could
> cause nmh's mhshow command to execute arbitrary shell code.
>
> This bug has been fixed in nmh 1.0.3 and we encourage you to upgrade
> immediately.  The fixed package is available at
>
>   ftp://ftp.mhost.com/pub/nmh/nmh-1.0.3.tar.gz
>
> The MD5sum of nmh-1.0.3.tar.gz is 02519bf8f7ff8590ecfbee9f9500ea07.

Please note that the MIME-handling code with the security hole dates back to
nmh's ancestor MH, so MH users (at least those using latter-day versions
with MIME capability) are also strongly encouraged to upgrade to nmh 1.0.3.

----------------------------------------------------------------------
Dan Harkless                   | To prevent SPAM contamination, please
dan-bugtraq () dilvish speed net  | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts.  Thank you.