Update of mhonarc/MHonArc
Modified Files:
CHANGES
Log Message:
Bug #32013, #32014: Reject any HTML message that has nested tag markup.
Example: <bo<body>dy>
This should address both security items related to XSS and DoS.
======================================================================
FILE: mhonarc/MHonArc/CHANGES
<http://www.mhonarc.org/cgi-bin/viewcvs.cgi/*checkout*/mhonarc/MHonArc/CHANGES?rev=1.144>
<http://www.mhonarc.org/cgi-bin/viewcvs.cgi/mhonarc/MHonArc/CHANGES.diff?r1=1.143&r2=1.144&diff_format=h>
--- CHANGES 3 May 2009 20:11:27 -0000 1.143
+++ CHANGES 30 Dec 2010 20:52:23 -0000 1.144
@@ -14,5 +14,21 @@
YYYY/MM/DD
============================================================================
-2009/MM/DD (2.6.XX)
+2010/12/31 (2.6.17)
+
+* Bug Fixes:
+
+ Bug ID Summary
+ ------ ------------------------------------------------------------
+ 32013 CVE-2010-4524: Improper escaping of certain HTML sequences
+ (XSS)
+ 32014 CVE-2010-1677: DoS when processing html messages with deep
+ tag nesting
+ ------ ------------------------------------------------------------
+
+* When KEEPONRMM is enabled, messages that are removed from
+ the archive do not cause linked messages to be updated.
+ This allows for pages that use $TSLICE$ to maintain thread
+ links for messages that "fall off" of the maintained list
+ of archived messages.
* Added pre-extraction of From name and From address. This
---------------------------------------------------------------------
To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the
message text UNSUBSCRIBE MHONARC-COMMITS