From jhardin at impsec.org  Sat Sep  9 21:19:09 2006
From: jhardin at impsec.org (John D. Hardin)
Date: Sat, 9 Sep 2006 21:19:09 -0700 (PDT)
Subject: [esa-l] NOTICE: ZIP archived filename length checks in Sanitizer
Message-ID: <Pine.LNX.4.10.10609092114230.8502-100000@gypsy.impsec.org>

All:

A BO vulnerability has been announced in the DUNZIP32.dll zipfile
library used by many commercial programs, including Lotus Notes and
Real Audio player.

In an attempt to mitigate this vulnerability, archived filename length
checks have been added to the development version of the Procmail
Email Sanitizer, and a patch to add these checks to recent stable
releases is also available.

The patch is available at:

http://www.impsec.org/email-tools/sanitizer_zip_filename_length.patch

The development version of the sanitizer is available at:

http://www.impsec.org/email-tools/development/

The sanitizer home page is:

http://www.impsec.org/email-tools/procmail-security.html

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org    FALaholic #11174    pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  It is not the business of government to make men virtuous or
  religious, or to preserve the fool from the consequences of his own
  folly.                                              -- Henry George
-----------------------------------------------------------------------
 8 days until The 219th anniversary of the signing of the U.S. Constitution