Home page logo

bugtraq logo Bugtraq mailing list archives

MH also vulnerable to remote attack (was Re: nmh security update)
From: dan-bugtraq () DILVISH SPEED NET (Dan Harkless)
Date: Thu, 2 Mar 2000 16:37:37 -0800

Ruud de Rooij <ruud () RUUD ORG> writes:
Versions prior to 1.0.3 of the nmh package contained a vulnerability
where incoming mail messages with carefully designed MIME headers could
cause nmh's mhshow command to execute arbitrary shell code.

This bug has been fixed in nmh 1.0.3 and we encourage you to upgrade
immediately.  The fixed package is available at


The MD5sum of nmh-1.0.3.tar.gz is 02519bf8f7ff8590ecfbee9f9500ea07.

Please note that the MIME-handling code with the security hole dates back to
nmh's ancestor MH, so MH users (at least those using latter-day versions
with MIME capability) are also strongly encouraged to upgrade to nmh 1.0.3.

Dan Harkless                   | To prevent SPAM contamination, please
dan-bugtraq () dilvish speed net  | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts.  Thank you.

  By Date           By Thread  

Current thread:
  • MH also vulnerable to remote attack (was Re: nmh security update) Dan Harkless (Mar 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]