[PLDSA 15-1] New MHonArc packages fix cross site scripting
Krzysiek Taraszka
dzimi at pld.org.pl
Thu Jan 30 14:11:01 CET 2003
- --------------------------------------------------------------------------
PLD Security Advisory PLDSA 15-1 security at pld.org.pl
http://www.pld.org.pl/security/ PLD Security Team
13 January 2003 http://www.pld.org.pl/security/faq
- --------------------------------------------------------------------------
Package : prior to MHonArc-2.5.3-1
Vulnerability : cross site scripting
Problem-Type : remote
PLD-specific : no
CVE references : CAN-2002-1307, CAN-2002-1388
CAN-2002-1307:
Steven Christey discovered a cross site scripting vulnerability in
mhonarc, a mail to HTML converter. Carefully crafted message headers
can introduce cross site scripting when mhonarc is configured to
display all headers lines on the web. However, it is often useful to
restrict the displayed header lines to To, From and Subject, in which
case the vulnerability cannot be exploited.
CAN-2002-1388:
Earl Hood, author of mhonarc, a mail to HTML converter, discovered a
cross site scripting vulnerability in this package. A specially
crafted HTML mail message can introduce foreign scripting content in
archives, by-passing MHonArc's HTML script filtering.
The above problems have been fixed in version 2.5.14-1 for the
current stable distribution (ra).
We recommend that you upgrade your MHonArc packages.
wget -c url
will fetch the file for you
rpm -Uhv file(s)*.rpm
will upgrade the referenced file.
If you are using "poldek" - the package manager, use the line as given below
for upgrade packages
poldek --update
will update the internal database
poldek --upgrade 'MHonArc*'
will install corrected packages
If you are using "apt" - the package manager, use the line as given below
for upgrade packages
apt-get update
will update the internal database
apt-get upgrade 'MHonArc*'
will install corrected packages
PLD Linux 1.0 alias ra
- --------------------
Source archives:
ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/MHonArc-2.5.14-1.src.rpm
MD5 checksum: 6489ed316c78c0f70bf0c47cb092e420
I386 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/MHonArc-2.5.14-1.noarch.rpm
MD5 checksum: 71b42be78171a3ee96be40db5e2e37ba
I586 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/MHonArc-2.5.14-1.noarch.rpm
MD5 checksum: 039581b7111b2ff2a1792d7a76f0ff78
I686 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/MHonArc-2.5.14-1.noarch.rpm
MD5 checksum: b69281c6cd69957f8452148bad51c03d
PowerPC Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/MHonArc-2.5.14-1.noarch.rpm
MD5 checksum: eb0d5d8ae7b2d9aa132d58f635fb447e
-
--------------------------------------------------------------------------------
-
If you are using poldek add this line to poldek.conf.
If you are using apt-get add this line to sources.list.
For i386 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security
For i586 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security
For i686 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security
For ppc architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security
More information about the pld-security-announce
mailing list