"Perhaps the most notable changes are bug fixes for broken "mbox"
functionality, for a crash when Taking to a Rule, for a crash when Sorting
on some IMAP servers, and for a problem when forwarding address book
entries and Taking them, which caused remote address book corruption.
There is some new support for reading news from more than one NNTP server,
a new tab-checks-recent feature to allow checking for new mail in a folder
without opening it, and a few other small improvements."
An attacker can send a fully legal email message with a crafted
From-header and thus forcing pine to core dump on startup.
The only way to launch pine is manually removing the bad message
either directly from the spool, or from another MUA. Until the
message has been removed or edited there is no way of accessing
the INBOX using pine.
http://marc.theaimsgroup.com/?l=bugtraq&m=103668430620531&w=2
--
This note is to announce the availability of the Pine Message System version
4.44. The purpose of this release is to fix a security bug with the treatment
of quotes in the URL-handling code. The bug allows a malicious sender to
embed commands in a URL. This bug is present in all versions of UNIX Pine.
There is no vulnerability from this bug in PC-Pine.
- never create an ldap FLAVORized Pico package since it does not pertain
to Pico and do not mistakenly register a dependency on ldap with the
package either
Pine has historically built against an internal copy
of the c-client library, however c-client development
has progressed beyond what is shipped with pine.
(It would appear that all new development work is
being done via UW's imap server codebase.) This change
allows pine to utilize improvements/bugfixes in the
c-client library. A consequence of this change is
that the recently reported vulnerability to BugTraq
regarding malformed X-keywords header has been fixed.