Vincent Lefevre wrote:
> Package: mutt
> Version: 1.5.11+cvs20060126-2
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Mutt doesn't filter control characters, in particular the ^J and ^M,
> from headers, which can lead to unwanted behavior; in particular when
> replying, the reply can be sent to a 3rd address given in the Subject
> (and the user won't probably notice it). More details are given here:
It seems to me that this problem only exists when edit_headers is set.
However, with this option set the user sees the receipients of the
mail and can edit the header fields. In that, it is comparable to
specifying 'Reply-To: [EMAIL PROTECTED], [EMAIL PROTECTED]" or using the famous
Mail-Followup-To: header.
Hence, I don't consider this bug warrants an update via security.debian.org.
It may be serious enough to justify an update in stable via proposed-updates,
though. Please talk to the stable release people about it.
Regards,
Joey
--
Reading is a lost art nowadays. -- Michael Weber
Please always Cc to me when replying to me on the lists.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
