<http://www.mhonarc.org/>
MHonArc releases prior to v2.6.17 have known vulnerabilities to the
HTML filter, making web sites hosting MHonArc web archives vulnerable
to XSS attackes. All users are STRONGLY encouraged to upgrade to the
latest release.
If you are unable to upgrade immediately, and you are operating a site
that archives messages from untrusted sources, please see the following
item in the MHonArc FAQ: "So how can I exclude HTML mail?". Even with
the fixes provided in v2.6.17, it is HIGHLY RECOMMENDED to neutralize
HTML data for any archive containing content from untrusted sources.
============================================================================
2011/01/09 (2.6.17)
* Security Fixes:
Bug ID Summary
------ ------------------------------------------------------------
32013 CVE-2010-4524: Improper escaping of certain HTML
sequences (XSS)
32014 CVE-2010-1677: DoS when processing html messages with deep
tag nesting
32080 Specially crafted <base href> can lead to XSS exploit
------ ------------------------------------------------------------
* Bug Fixes:
Bug ID Summary
------ ------------------------------------------------------------
13853 Creation of archive with attachments writes over symlinks
14747 major (10X) memory savings possible in some situations
15433 relative attachmentdir is relative to current working dir,
not outdir
17660 Threaded index resource ordering doesn't allow well formed
XML output
17860 incorrect nested HTML Tags for references
17904 FieldOrder affects AddressModifyCode
18113 Inconsistant thread slices w/ poor man's windowing
18908 X-Subject data get split in separate lines
20074 extra space in subject
20142 strip backslash in rfc822 From: field
23198 Incorrect Setting Installation Directory
24247 iso2022jp.pl: unneeded ESC ( B remains in message body
25225 dir_create() fails to make temporary directories (PATCH)
25486 Resource FieldStore causes .mhonarc.db to grow over bounds
26577 Changed semantic for unpack breaks UTF-8
32032 TextEncode related resource information not saved correctly
in db file
------ ------------------------------------------------------------
* Added FOLLOWSYMLINKS resource (Bug #13853).
* When KEEPONRMM is enabled, messages that are removed from
the archive do not cause linked messages to be updated. This allows
for pages that use $TSLICE$ to maintain thread links for messages
that "fall off" of the maintained list of archived messages.
* Added pre-extraction of From name and From address. This
provides a performance improvement for archives that make use of
the $FROMADDR$ and $FROMADDRNAME$ resource variables along with
author sorting.
* Added mapping of message index keys to time stamp. This should
provide some performance gain since parsing out of time stamp from
index is no longer required.
* Cache last message number in db to avoid directory scan of archive
each time an add operation is performed. This provides a performance
improvement for large archives and on file systems where directory
reading with many files may not be optimal. Thanks go to Christopher
Lindsey for patch.
* Added References and In-Reply-To to as-is fields list to avoid
automatic modification of message IDs if address-rewriting is
in effect.
* Simplified regular expression for detecting addresses.
New expression performs significantly better than the previous
expression, but still matches the vast majority of addresses
used today.
============================================================================
--
Earl Hood, <earl(_at_)earlhood(_dot_)com>
Web: <http://www.earlhood.com/>
PGP Public Key: <http://www.earlhood.com/gpgpubkey.txt>
