-----BEGIN PGP SIGNED MESSAGE-----

==============================================================================
Security Advisory                                                      CERT-NL
==============================================================================
Author/Source : Gert Meijerink                              Index  :   S-97-39
Distribution  : World                                       Page   :         1
Classification: External                                    Version:         1
Subject       : Vulnerability in metamail                   Date   : 22-mei-97
==============================================================================

By courtesy of CERT Coordination Center we received the following
information.

The CERT Coordination Center has received reports of a vulnerability in
metamail, a program that implements MIME. By exploiting the vulnerability, a
sender of a MIME-encoded electronic mail message can cause the receiver of the
message to execute an arbitrary command if the receiver processes the message
using the metamail package. If the attacker has an account on the target
user's local system or if the target user's system supports AFS or another
distributed filesystem, then the attacker can arrange for the arbitrary
command to be one the attacker created. This affects versions of metamail
through 2.7 (the current version).

CERT-NL recommends to act according to the CERT-CC advisory.

All CERT Coordination Center advisories are mirrored by CERT-NL.
The specific URL for this case is:

<ftp://ftp.surfnet.nl/surfnet/net-security/cert-cc-mirror/
cert_advisories/CA-97.14.metamail>

ADVISORIES ARE REGULARLY UPDATED BY CERT COORDINATION CENTER.
Therefore we advise you to check on our mirror regularly -
you can automate this process using the CERT-NL notifier service.

More information about the CERT-NL mirror and notifier services is
contained in News items N-95-01 (notifier) and N-95-02 (CERT mirror),
both present on
<ftp://ftp.surfnet.nl/surfnet/net-security/cert-nl/docs/news/>

==========================================================================

CERT-NL is the Computer Emergency Response Team for SURFnet customers.
SURFnet is the Dutch network for educational, research and related
institutes.
CERT-NL is a member of the Forum of Incident Response and Security Teams
(FIRST).

All CERT-NL material is available under:
  <http://www.surfnet.nl/surfnet/security/cert-nl.html>
  <ftp://ftp.surfnet.nl/surfnet/net-security>

In case of computer or network security problems please contact your
local CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet
customer please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
   Email:     cert-nl@surfnet.nl
   Phone:     +31 302 305 305
   Fax:       +31 302 305 329
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands
   A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST
   members on request.
==========================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: cp850

iQCVAwUBM4SjmkU5nQkWIq1FAQENdwP/W9ufZYnWhLTJIdvnejbplOpqjvhmxUEW
adVnCHAyVC4oXcSTcbNV8b8VY4ZB+ADx6QHY82kGPopgzhyReIjcotkKeaPdk4Cb
Al4i50kptOE6OlNF8fsSTF19t5w/5BEELvJ+m53xucmIm73h/asSF7p+vLaVvXt0
IYr2HGZ0YR0=
=j7bp
-----END PGP SIGNATURE-----