Debian Security Advisory

nmh -- remote exploit in nmh

Date Reported:

28 Feb 2000

Affected Packages:

nmh

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2000-0196.

More information:

The version of nmh that was distributed in Debian GNU/Linux 2.1 (aka slink) did not check incoming mail messages properly. This could be exploited by using carefully designed MIME headers to trick mhshow into executing arbitrary shell code. This has been fixed in version 0.27-0.28-pre8-4. We recommend you upgrade your nmh package immediately.

Fixed in:

Source:: http://security.debian.org/dists/slink/updates/source/nmh_0.27-0.28-pre8-4.diff.gz; http://security.debian.org/dists/slink/updates/source/nmh_0.27-0.28-pre8-4.dsc; http://security.debian.org/dists/slink/updates/source/nmh_0.27-0.28-pre8.orig.tar.gz
alpha:: http://security.debian.org/dists/slink/updates/binary-alpha/nmh_0.27-0.28-pre8-4_alpha.deb
i386:: http://security.debian.org/dists/slink/updates/binary-i386/nmh_0.27-0.28-pre8-4_i386.deb
m68k:: http://security.debian.org/dists/slink/updates/binary-m68k/nmh_0.27-0.28-pre8-4_m68k.deb
sparc:: http://security.debian.org/dists/slink/updates/binary-sparc/nmh_0.27-0.28-pre8-4_sparc.deb