Re: [approved] 2.5.3 security question

2002-08-24 20:19:25
On August 24, 2002 at 03:11, Jeff Breidenbach wrote:

I'm wearing my debian package maintainer hat at the moment.

How serious are the security issues with MHonArc 2.5.3? Debian is
shipping 2.5.3 in our stable branch, which we generally don't mess
with except for security problems. The release notes indicate
that 2.5.3 has some vulnerabilities.

Do MHonArc developers recommend we issue an advisory and take action
(provide a newer MHonArc or backport a security fix?)  Or is the
particular problem not such a big deal?

v2.5.3 actually included some additional filtering to minimize
XSS vulnerabilities in HTML messages.  The CAUTION in v2.5.3 just
states that HTML messages should be treated as possible security
problems and no guarantee is provided for the default HTML filtering
capabilities in MHonArc to prevent all XSS exploits.


To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the

<Prev in Thread] Current Thread [Next in Thread>