--- a/lisp/gnus/ChangeLog	Mon Nov 20 02:28:23 2006 +0000
+++ b/lisp/gnus/ChangeLog	Mon Nov 20 02:43:10 2006 +0000
@@ -1,3 +1,10 @@
+2006-11-18  Andreas Seltenreich  <uwi7@rz.uni-karlsruhe.de>
+
+	* mm-uu.el (mm-uu-pgp-signed-extract-1): Make last fix more thorough
+	and comment it.
+
+	* nnslashdot.el (nnslashdot-retrieve-headers-1): Update regexp.
+
 2006-11-15  Reiner Steib  <Reiner.Steib@gmx.de>
 
 	* gnus-util.el (gnus-extract-address-components): Improve comment.

--- a/lisp/gnus/mm-uu.el	Mon Nov 20 02:28:23 2006 +0000
+++ b/lisp/gnus/mm-uu.el	Mon Nov 20 02:43:10 2006 +0000
@@ -373,8 +373,16 @@
 	   mm-security-handle 'gnus-details
 	   (format "Clear verification not supported by `%s'.\n" mml2015-use))))
       (goto-char (point-min))
-      (if (re-search-forward "\n[\t ]*\n" nil t)
-	  (delete-region (point-min) (point)))
+      (forward-line)
+      ;; We need to be careful not to strip beyond the armor headers.
+      ;; Previously, an attacker could replace the text inside our
+      ;; markup with trailing garbage by injecting whitespace into the
+      ;; message.
+      (while (looking-at "Hash:") ; The only header allowed in cleartext
+	(forward-line))		  ; signatures according to RFC2440.
+      (when (looking-at "[\t ]*$")
+	(forward-line))
+      (delete-region (point-min) (point))
       (if (re-search-forward mm-uu-pgp-beginning-signature nil t)
 	  (delete-region (match-beginning 0) (point-max)))
       (goto-char (point-min))

--- a/lisp/gnus/nnslashdot.el	Mon Nov 20 02:28:23 2006 +0000
+++ b/lisp/gnus/nnslashdot.el	Mon Nov 20 02:43:10 2006 +0000
@@ -142,7 +142,7 @@
 	  (setq article (if (and article (< start article)) article start))
 	  (goto-char point)
 	  (while (re-search-forward
-		  "<a name=\"\\([0-9]+\\)\">\\([^<]+\\)</a>.*\n.*\n.*score:\\([^)]+\\))"
+		  "<a name=\"\\([0-9]+\\)\">\\([^<]+\\)\\(?:.*\n\\)\\{2,10\\}.*score:\\([^)]+\\))"
 		  nil t)
 	    (setq cid (match-string 1)
 		  subject (match-string 2)