Red Hat Linux 6.1 Security Advisory
Back to Security Advisories

 
Package nmh
Synopsis New nmh packages available
Advisory ID RHSA-2000:006-01
Issue Date 2000-03-06
Updated On 2000-03-06
Product Red Hat Linux
Keywords nmh mime mhshow


1. Topic:
New nmh packages are available to fix a security problem in mime header parsing.

2. Problem description:
By creating specially formed MIME headers, it was possible to have nmh's 'mhshow' utility execute arbitrary shell code.

It is recommended that all users of nmh upgrade to the fixed packages.

3. Bug IDs fixed: (see bugzilla for more information)
9921 - security bug in nmh

4. Relevant releases/architectures:
Red Hat Linux 5.2 - i386 alpha sparc
Red Hat Linux 6.0 - i386 alpha sparc
Red Hat Linux 6.1 - i386 alpha sparc

5. Obsoleted by:
None

6. Conflicts with:
None

7. RPMs required:

Intel:

ftp://updates.redhat.com/6.1/en/os/i386/

nmh-1.0.3-6x.i386.rpm

Alpha:

ftp://updates.redhat.com/6.1/en/os/alpha

nmh-1.0.3-6x.alpha.rpm

SPARC:

ftp://updates.redhat.com/6.1/en/os/sparc

nmh-1.0.3-6x.sparc.rpm

Source:

ftp://updates.redhat.com/6.1/en/os/SRPMS

nmh-1.0.3-6x.src.rpm

8. Solution:
For each RPM for your particular architecture, run:

rpm -Fvh filename

where filename is the name of the RPM.

9. Verification:


 MD5 sum                           Package Name

 -------------------------------------------------------------------------
158d9ce6bcbc130fdcc069218440c14e  6.1/en/os/alpha/nmh-1.0.3-6x.alpha.rpm
829927f436bab62a4a6b3e9ba0b8ab36  6.1/en/os/SRPMS/nmh-1.0.3-6x.src.rpm
59a31706a3747717e6aaec9c5f1b3122  6.1/en/os/sparc/nmh-1.0.3-6x.sparc.rpm
272c5a8bbdd1c6b7ed60595cf4521d01  6.1/en/os/i386/nmh-1.0.3-6x.i386.rpm
These packages are GPG signed by Red Hat, Inc. for security. Our key is available at:
http://www.redhat.com/about/contact.html

You can verify each package with the following command: rpm --checksig filename

If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg filename

Note that you need RPM >= 3.0 to check GnuPG keys.

10. References: