Re: [Announce] SECURITY: mutt-1.2.5.1 and mutt-1.3.25 released.
Hi, all -- ...and then Thomas Roessler said... % % Date: Fri, 11 Jan 2002 01:54:49 -0800 (PST) % ... % mutt-1.2.5.1 and mutt-1.3.25 have just been released. Didn't we see these come out already? Is this somehow different from the Jan 01 message [EMAIL PROTECTED] (which was PGP-MIME signed, I noted, while this one isn't)? It's not the same message reinjected, but it doesn't look like anything new, either... :-D -- David T-G * It's easier to fight for one's principles (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie (work) [EMAIL PROTECTED] http://www.justpickone.org/davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg! msg22919/pgp0.pgp Description: PGP signature
Re: [Announce] SECURITY: mutt-1.2.5.1 and mutt-1.3.25 released.
On Fri, Jan 11, 2002 at 08:32:24AM -0500, David T-G wrote: % mutt-1.2.5.1 and mutt-1.3.25 have just been released. Didn't we see these come out already? Is this somehow different from the Jan 01 message [EMAIL PROTECTED] (which was PGP-MIME signed, I noted, while this one isn't)? It's not the same message reinjected, but it doesn't look like anything new, either... Arrived sometime during the night, and I approved it ... Steve -- NetTek Ltd Flat 2, 43 Howitt Road, Belsize Park, London NW3 4LU, UK tel +44-(0)20 7483 1169 fax +44-(0)20 7483 2455 mob 07775 755503 SMS steve-pager (at) gbnet.net [body] gpg 1024D/468952DB 2001-09-19
Re: [Announce] SECURITY: mutt-1.2.5.1 and mutt-1.3.25 released.
On Jan 11, David T-G [[EMAIL PROTECTED]] wrote: ...and then Thomas Roessler said... % % Date: Fri, 11 Jan 2002 01:54:49 -0800 (PST) % ... % mutt-1.2.5.1 and mutt-1.3.25 have just been released. Didn't we see these come out already? Is this somehow different from the Jan 01 message [EMAIL PROTECTED] (which was PGP-MIME signed, I noted, while this one isn't)? It's not the same message reinjected, but it doesn't look like anything new, either... I think it is the same message reinjected, just really broken before it was, including the loss of the original message id. - the mime headers are visible in the body, indicating the real main mime headers were lost somewhere. - I was cc'ed on the original, but not this one. however, I got a copy of this to my regular address, indicating the cc was mutated into a bcc. - the received: path indicates it originated at postal.trymedia.com, registered as a california company. Thomas is of course in Germany. - the PGP signature is there, just not properly accounted for in the headers. Steve can you check who on the list is at that domain and try to track it down? This isn't the first message I've thought I was seeing too many times in the last few weeks, though this one is the most obvious, and I didn't check the headers on those. msg22938/pgp0.pgp Description: PGP signature
Re: [Announce] SECURITY: mutt-1.2.5.1 and mutt-1.3.25 released.
Jeremy, et al -- ...and then Jeremy Blosser said... % % On Jan 11, David T-G [[EMAIL PROTECTED]] wrote: % % Didn't we see these come out already? Is this somehow different from the % Jan 01 message [EMAIL PROTECTED] (which % was PGP-MIME signed, I noted, while this one isn't)? It's not the same % message reinjected, but it doesn't look like anything new, either... % % I think it is the same message reinjected, just really broken before it % was, including the loss of the original message id. H... % % - the mime headers are visible in the body, indicating the real main mime % headers were lost somewhere. Good point; I missed the MIME info down below and just saw the sig. % - I was cc'ed on the original, but not this one. however, I got a copy of % this to my regular address, indicating the cc was mutated into a bcc. Ahhh... Interesting! % - the received: path indicates it originated at postal.trymedia.com, % registered as a california company. Thomas is of course in Germany. % - the PGP signature is there, just not properly accounted for in the % headers. Right. % % Steve can you check who on the list is at that domain and try to track it % down? This isn't the first message I've thought I was seeing too many % times in the last few weeks, though this one is the most obvious, and I % didn't check the headers on those. Thanks for the info! :-D -- David T-G * It's easier to fight for one's principles (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie (work) [EMAIL PROTECTED] http://www.justpickone.org/davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg! msg22942/pgp0.pgp Description: PGP signature
Duplicate. Re: [Announce] SECURITY: mutt-1.2.5.1 and mutt-1.3.25 released.
This was a duplicate message apparently inserted at trymedia.com. It's certainly not the version of the message I sent out. On 2002-01-11 01:54:49 -0800, Thomas Roessler wrote: Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from localhost (localhost [127.0.0.1]) by sobolev.does-not-exist.org (Postfix) with ESMTP id 54EAD2ED13 for [EMAIL PROTECTED]; Fri, 11 Jan 2002 11:00:54 +0100 (CET) Delivered-To: [EMAIL PROTECTED] Received: from pop.does-not-exist.org by localhost with POP3 (fetchmail-5.3.3) for [EMAIL PROTECTED] (single-drop); Fri, 11 Jan 2002 11:00:54 +0100 (CET) Received: by mail.mediacompany.com (Postfix, from userid 500) id BC5E5480A; Fri, 11 Jan 2002 10:56:22 +0100 (CET) Delivered-To: [EMAIL PROTECTED] Received: from ns.gbnet.net (ns.gbnet.net [194.70.126.10]) by mail.mediacompany.com (Postfix) with SMTP id EDAD14807 for [EMAIL PROTECTED]; Fri, 11 Jan 2002 10:56:21 +0100 (CET) Received: (qmail 29293 invoked by uid 610); 11 Jan 2002 09:55:14 - Delivered-To: [EMAIL PROTECTED] Received: (qmail 29140 invoked from network); 11 Jan 2002 09:54:53 - Received: from server.trymedia.com (HELO postal.trymedia.com) (209.24.233.55) by ns.gbnet.net with SMTP; 11 Jan 2002 09:54:53 - Received: by postal.trymedia.com (Postfix, from userid 0) id A9F355E2D; Fri, 11 Jan 2002 01:54:49 -0800 (PST) From: Thomas Roessler [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: [Announce] SECURITY: mutt-1.2.5.1 and mutt-1.3.25 released. Message-Id: [EMAIL PROTECTED] Date: Fri, 11 Jan 2002 01:54:49 -0800 (PST) Sender: [EMAIL PROTECTED] Precedence: bulk --zhXaljGHf11kAtnf Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable mutt-1.2.5.1 and mutt-1.3.25 have just been released. These releases both fix a security hole which can be remotely exploited. The problem was found and a fix suggested by Joost Pol [EMAIL PROTECTED]. Thanks for that. mutt-1.2.5.1 is released as an update to the last stable version of mutt, mutt-1.2.5. The ONLY relevant change in this version is the fix mentioned above. No other bugs present in 1.2.5 have been fixed. You only want to upgrade to this version of mutt if you absolutely have to stick with the mutt-1.2 series. mutt-1.3.25 is the latest BETA version of mutt, and very close to what will eventually become mutt-1.4. Personally, I'd recommend that you download and use this version. The tar balls, with detached PGP signatures, will be available from=20 ftp://ftp.mutt.org/pub/mutt/ in some minutes. As an alternative, you can apply the patch available from=20 ftp://ftp.mutt.org/pub/mutt/patch-1.2,3.rfc822_terminate.1 to any=20 1.2 or 1.3 series mutt source code, and rebuild. I apologize for the problem, and wish all of you a happy new year. --=20 Thomas Roesslerhttp://log.does-not-exist.org/ --zhXaljGHf11kAtnf Content-Type: application/pgp-signature Content-Disposition: inline -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) iQEVAwUBPDIev9ImKUTOasbBAQJqSAf6AvWpzKDJumBz4rPhIoVENsSyOu4/N78b k4em4afI6jJ0hjZmcBlQSvf0THqax+eNTRTWKnJMJ9o7Fz80usL697TEksDb8aCV 9h89JAAlRQHZIP6fjx0jr7KMmjz5i4XqG13mLm+9S52MK76wFwf5HHd+3VAzcfni JP4EcUIGd/nNCh+MrhGTuFlRC0mZ/zOYPeyZ/iC1abXOGAWuPgDcucEd+O/n6TXp Aw6s5xwZg26buqmQEuy5J3E3VksLqQwl3iEDFf6XijnOKjHIuPh4Lvxddg50NeTm a0EOVmoS8ZfnIme+vnCQXKIR1vvKKsLraXEn6Jw6XwG97RSNurx5qQ== =clc3 -END PGP SIGNATURE- --zhXaljGHf11kAtnf-- -- Thomas Roesslerhttp://log.does-not-exist.org/
Re: Duplicate. Re: [Announce] SECURITY: mutt-1.2.5.1 and mutt-1.3.25 released.
On Fri, Jan 11, 2002 at 05:56:07PM +0100, Thomas Roessler wrote: This was a duplicate message apparently inserted at trymedia.com. It's certainly not the version of the message I sent out. Looks like someone re-injected. Next time I'll check more carefully. Sorry (also can't find any trymedia people on the list) Steve -- NetTek Ltd Flat 2, 43 Howitt Road, Belsize Park, London NW3 4LU, UK tel +44-(0)20 7483 1169 fax +44-(0)20 7483 2455 mob 07775 755503 SMS steve-pager (at) gbnet.net [body] gpg 1024D/468952DB 2001-09-19
Re: [Announce] SECURITY: mutt-1.2.5.1 and mutt-1.3.25 released.
On Fri, Jan 04, 2002 at 02:34:00PM +0100, Kai Blin wrote: This means you can send an email with the header line hacked and execute code that's run with the rights of the mutt user. In this particular case it would be difficult to exploit because the attacker only has the option of writing one NUL (0x00) byte and can't chose to write arbitrary instructions onto the stack. IMO, at worst it really would only be a DoS attack. me
Re: [Announce] SECURITY: mutt-1.2.5.1 and mutt-1.3.25 released.
On Wed, Jan 02, 2002 at 04:51:16PM -0500, Russell Hoover wrote: May we be told the nature (if not the details) of the vulnerability? http://www.debian.org/security/2002/dsa-096 -- Ben Reser [EMAIL PROTECTED] http://ben.reser.org I wish it need not have happened in my time, said Frodo. So do I, said Gandalf, and so do all who live in such times. But that is not for them to decide. All we have to decide is what to do with the time that is given us.
Re: [Announce] SECURITY: mutt-1.2.5.1 and mutt-1.3.25 released.
Alas! Ben Reser spake thus: May we be told the nature (if not the details) of the vulnerability? http://www.debian.org/security/2002/dsa-096 Still waiting for the woody package :-\ -- Rob 'Feztaa' Park [EMAIL PROTECTED] -- A verbal contract isn't worth the paper it's written on. -- Samuel Goldwyn msg22157/pgp0.pgp Description: PGP signature
Re: [Announce] SECURITY: mutt-1.2.5.1 and mutt-1.3.25 released.
Rob -- ...and then Feztaa said... % % Alas! Ben Reser spake thus: % May we be told the nature (if not the details) of the vulnerability? % % http://www.debian.org/security/2002/dsa-096 % % Still waiting for the woody package :-\ Hey, you can compile stuff now; go and get 1.3.25 and built it yourself. % % -- % Rob 'Feztaa' Park % [EMAIL PROTECTED] % -- % A verbal contract isn't worth the paper it's written on. % -- Samuel Goldwyn :-D -- David T-G * It's easier to fight for one's principles (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie (work) [EMAIL PROTECTED] http://www.justpickone.org/davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg! msg22159/pgp0.pgp Description: PGP signature
Re: [Announce] SECURITY: mutt-1.2.5.1 and mutt-1.3.25 released.
Thus spake Rob 'Feztaa' Park ([EMAIL PROTECTED]): Still waiting for the woody package :-\ Add a sid line to your sources list, then 'apt-get update; apt-get install mutt/unstable' should do it. I don't think the deps are unusual. -- Justin R. Miller [EMAIL PROTECTED] View my website at http://codesorcery.net Please encrypt email using key 0xC9C40C31 msg22163/pgp0.pgp Description: PGP signature
Re: [Announce] SECURITY: mutt-1.2.5.1 and mutt-1.3.25 released.
Alas! David T-G spake thus: % http://www.debian.org/security/2002/dsa-096 % % Still waiting for the woody package :-\ Hey, you can compile stuff now; go and get 1.3.25 and built it yourself. Sorry, too busy building my LFS system. I don't want to have to worry about recompiling mutt ;) -- Rob 'Feztaa' Park [EMAIL PROTECTED] -- The difference between fiction and reality is that fiction has to make sense. -- Tom Clancy msg22187/pgp0.pgp Description: PGP signature
Re: [Announce] SECURITY: mutt-1.2.5.1 and mutt-1.3.25 released.
Thus spake Will Yardley ([EMAIL PROTECTED]): well you could remove the line when done / run another apt-get update or just download the unstable package from debian's site and dpkg -i it Yes, I should have mentioned that the sources.list addition was a temporary one. You may also investigate pinning as described in the article mentioned by Mr. Schrab. -- Justin R. Miller [EMAIL PROTECTED] View my website at http://codesorcery.net Please encrypt email using key 0xC9C40C31 msg22192/pgp0.pgp Description: PGP signature
Re: [Announce] SECURITY: mutt-1.2.5.1 and mutt-1.3.25 released.
Alas! Will Yardley spake thus: just download the unstable package from debian's site and dpkg -i it http://packages.debian.org/cgi-bin/search_packages.pl?keywords=muttsearchon=namessubword=1version=allrelease=all It doesn't seem as though 1.3.25 is released in any of the Debian releases. -- Rob 'Feztaa' Park [EMAIL PROTECTED] -- Verbogeny is one of the pleasurettes of a creatific thinkerizer. -- Peter da Silva msg22193/pgp0.pgp Description: PGP signature
Re: [Announce] SECURITY: mutt-1.2.5.1 and mutt-1.3.25 released.
Alas! Justin R. Miller spake thus: It doesn't seem as though 1.3.25 is released in any of the Debian releases. http://packages.debian.org/unstable/non-us/mutt.html That, and I'm running it! ;-) Good thing it didn't show up in the search, I might have found it! -- Rob 'Feztaa' Park [EMAIL PROTECTED] -- A common trait of many of the companies that failed is that they gave away for free or at a loss the very thing they produced that was of greatest value - in the hope they'd somehow make money selling something else. -- Microsoft, presumably not referring to Internet Explorer. msg22201/pgp0.pgp Description: PGP signature
Re: [Announce] SECURITY: mutt-1.2.5.1 and mutt-1.3.25 released.
Rob 'Feztaa' Park wrote: Alas! Justin R. Miller spake thus: It doesn't seem as though 1.3.25 is released in any of the Debian releases. http://packages.debian.org/unstable/non-us/mutt.html That, and I'm running it! ;-) Good thing it didn't show up in the search, I might have found it! shows up ok for me... http://packages.debian.org/cgi-bin/search_packages.pl?keywords=muttsearchon=namessubword=1version=allrelease=all which leads to: http://packages.debian.org/unstable/non-us/mutt.html i generally find debians package search to be more than adequate, although sometimes it is a bit strange. this time, a search for 'mutt' in distribution 'any' and section 'any' brought up the desired results. that said, i prefer to 'roll my own', so to speak, on the debian machines i work with (and same for freebsd). w
Re: [Announce] SECURITY: mutt-1.2.5.1 and mutt-1.3.25 released.
Alas! Will Yardley spake thus: this time, a search for 'mutt' in distribution 'any' and section 'any' brought up the desired results. That's exactly what I searched for. In fact, that url you posted looks exactly like the one I posted... -- Rob 'Feztaa' Park [EMAIL PROTECTED] -- A nymphomaniac is a woman as obsessed with sex as the average man. -- Mignon McLaughlin msg22204/pgp0.pgp Description: PGP signature
Re: [Announce] SECURITY: mutt-1.2.5.1 and mutt-1.3.25 released.
On Tue 01/01/02 at 09:40 PM +0100, Thomas Roessler [EMAIL PROTECTED] wrote: mutt-1.2.5.1 and mutt-1.3.25 have just been released. These releases both fix a security hole which can be remotely exploited. ^ ^^ I'm not sure what that means -- can you send an e-mail message that hijacks the mutt process? -- // [EMAIL PROTECTED] // msg22206/pgp0.pgp Description: PGP signature
Re: [Announce] SECURITY: mutt-1.2.5.1 and mutt-1.3.25 released.
On Tue 01/01/02 at 09:40 PM +0100, Thomas Roessler [EMAIL PROTECTED] wrote: mutt-1.2.5.1 and mutt-1.3.25 have just been released. These releases both fix a security hole which can be remotely exploited. May we be told the nature (if not the details) of the vulnerability? -- // [EMAIL PROTECTED] // msg22140/pgp0.pgp Description: PGP signature