Fix for CVE-2010-4524 and CVE-2010-1677 ready for verfication

2010-12-30 15:12:04
I've committed in a potential fix, and made a
snapshot build that should address the following
recent security issues:


Snapshot release is available at the following location:

Any build dated 2010-12-30, or later, will contain the

I ask the interested parties verify that the fix addresses
concerns raised as I would like to make a formal release
as soon as possible.

Summary of fix: filter modified to reject any message with
  nested tags. This is invalid HTML, so any message
  that contains it would likely indicate a possible attack.

Whenever a formal, public, announcement of these vulnerabilities
are raise, please include link to the MHonArc FAQ that discusses
the security risks of HTML mail and how to disable HTML mail
in mhonarc archives:

This may be useful for users who may not be able to upgrade
to the latest release, but need a work-around solution to secure
their sites.


Earl Hood, <earl(_at_)earlhood(_dot_)com>
Web: <>
PGP Public Key: <>

To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the

<Prev in Thread] Current Thread [Next in Thread>
  • Fix for CVE-2010-4524 and CVE-2010-1677 ready for verfication, Earl Hood <=