Index: QUICK//hdrs/patchlevel.h
*** elm2.4.ME+.28//hdrs/patchlevel.h	Mon Sep 30 19:08:25 1996
--- QUICK//hdrs/patchlevel.h	Wed Dec 18 10:19:41 1996
***************
*** 1 ****
! #define PATCHLEVEL "28 (25)"
--- 1 ----
! #define PATCHLEVEL "28s (25)"
Index: QUICK//README.ME+
*** elm2.4.ME+.28//README.ME+	Mon Sep 30 19:08:25 1996
--- QUICK//README.ME+	Wed Dec 18 09:41:21 1996
***************
*** 11,16 ****
--- 11,25 ----
  Version Elm2.4 PL24 ME8b is based to version Elm2.4 PL24.
  Version Elm2.4ME+ PLx (25) includes patch of version Elm2.4 PL25.
  
+ Changes of Elm2.4ME+ PL28s (25) compared to Elm2.4ME+ PL28 (25)
+ --------------------------------------------------------------
+ 
+ 	- SECURITY: Elm was passing `shell command` without
+ 	  quotation to shell when invoking sendmail.
+ 	  Reported by: Wolfgang Ley <ley@cert.dfn.de>
+ 		 from: "Computer Emergency Response Team, Germany"
+ 			<dfncert@cert.dfn.de>
+ 
  Changes of Elm2.4ME+ PL28 (25) compared to Elm2.4ME+ PL27 (25)
  --------------------------------------------------------------
  
Index: QUICK//hdrs/defs.h
*** elm2.4.ME+.28//hdrs/defs.h	Sun Sep 22 18:33:56 1996
--- QUICK//hdrs/defs.h	Wed Dec 18 10:19:29 1996
***************
*** 195,203 ****
  
  
  # define VERSION	"2.4ME+"		/* Version number... */
! # define VERS_DATE	"Sep, 1996"	/* for elm -v option */
  # define WHAT_STRING	\
! 	"@(#) Version 2.4(ME+), USENET supported version, released Sep, 1996"
  
  #if defined(__STDC__) || defined(_AIX)
  # define ANSI_C 1
--- 195,203 ----
  
  
  # define VERSION	"2.4ME+"		/* Version number... */
! # define VERS_DATE	"Dec, 1996"	/* for elm -v option */
  # define WHAT_STRING	\
! 	"@(#) Version 2.4(ME+), USENET supported version, released Dec, 1996"
  
  #if defined(__STDC__) || defined(_AIX)
  # define ANSI_C 1
Index: QUICK//src/strings.c
*** elm2.4.ME+.28//src/strings.c	Mon Jun 17 15:26:35 1996
--- QUICK//src/strings.c	Wed Dec 18 09:42:38 1996
***************
*** 398,404 ****
  		    break;
  
  		  while (--len >= 0) {
! 		    if (*in_string == '"' || *in_string == '\\' || *in_string == '$')
  		      *out_string++ = '\\';
  		    *out_string++ = *in_string++;
  		  }
--- 398,405 ----
  		    break;
  
  		  while (--len >= 0) {
! 		    if (*in_string == '"' || *in_string == '\\' || 
! 			*in_string == '$' || *in_string == '`')
  		      *out_string++ = '\\';
  		    *out_string++ = *in_string++;
  		  }