After extensive discussion, upstream is preparing a new release of mhonarc
(the security and related bug fixes are more extensive than the patch
supplied to Debian). I prefer to ship the new release as the security
update, rather than attempt a backport. Happy to discuss if security team
has any
Based on discussion with Earl so far, I think the correct fix is disabling
HTML mail support by default.
Subject: mhonarc: cross-site scripting when converting HTML mails
Package: mhonarc
Version: 2.6.16-1
Severity: important
Tags: security
MHonArc has a cross-site scripting (XSS) security issue when converting HTML
mails with malformed HTML tags of the form scrbodyipt:
$ mhonarc elsatest.mbox
This
3 matches
Mail list logo
