Ruud de Rooij <ruudat_private> writes: > Versions prior to 1.0.3 of the nmh package contained a vulnerability > where incoming mail messages with carefully designed MIME headers could > cause nmh's mhshow command to execute arbitrary shell code. > > This bug has been fixed in nmh 1.0.3 and we encourage you to upgrade > immediately. The fixed package is available at > > ftp://ftp.mhost.com/pub/nmh/nmh-1.0.3.tar.gz > > The MD5sum of nmh-1.0.3.tar.gz is 02519bf8f7ff8590ecfbee9f9500ea07. Please note that the MIME-handling code with the security hole dates back to nmh's ancestor MH, so MH users (at least those using latter-day versions with MIME capability) are also strongly encouraged to upgrade to nmh 1.0.3. ---------------------------------------------------------------------- Dan Harkless | To prevent SPAM contamination, please dan-bugtraqat_private | do not mention this private email SpeedGate Communications, Inc. | address in Usenet posts. Thank you.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:38:51 PDT