Hi List, I received this notice about vulnerabilities in pine as used by Red Hat, do these vulnerabilities apply to SuSE distribution versions of pine? James Ferrando Forwarded notice follows ... Complete information about this errata can be found at the following location: https://rhn.redhat.com/network/errata/errata_details.pxt?eid=1009 Security Advisory - RHSA-2002:009-08 ------------------------------------------------------------------------------ Summary: Updated pine packages are available Pine (version 4.43 and earlier) as released with all currently supported versions of Red Hat Linux (6.2, 7, 7.1, 7.2), contains a URL handling bug. This bug can allow a malicious attacker to cause arbitrary commands embedded in a URL to be executed on the users system upon attempting to view the URL. Description: The purpose of this release is to fix a security bug with the treatment of quotes in the URL-handling code. The bug allows a malicious sender to embed commands in a URL. This bug is present in all versions of UNIX Pine 4.43 or earlier. Example: A URL constructed as: http://www.somewhere.com/'&touch${IFS}/tmp/foo${IFS}/tmp/bar' would cause the files /tmp/foo and /tmp/bar to be created on the user's machine if the URL is viewed. Thanks to zen-parse for discovering and reporting this problem. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0014 to this issue. --------------------------------------------------------- James Ferrando james@ferrando.co.uk Oxford ZEUS Group
Hi List, I received this notice about vulnerabilities in pine as used by Red Hat, do these vulnerabilities apply to SuSE distribution versions of pine? James Ferrando
Forwarded notice follows ...
Complete information about this errata can be found at the following location: https://rhn.redhat.com/network/errata/errata_details.pxt?eid=1009
This is fixed since ages. Read our security announcements! http://www.suse.de/de/support/security/2002_003_at_txt.html
Security Advisory - RHSA-2002:009-08 ------------------------------------------------------------------------------ Summary: Updated pine packages are available
Roman.
--
- -
| Roman Drahtmüller
participants (2)
-
James Ferrando
-
Roman Drahtmueller