An updated mc package that resolves several shell escape security issues is now available. [Updated 5 January 2005] Packages have been updated to include the gmc and mcserv packages which were left out of the initial errata.
Midnight Commander (mc) is a visual shell much like a file manager. Shell escape bugs have been discovered in several of the mc vfs backend scripts. An attacker who is able to influence a victim to open a specially-crafted URI using mc could execute arbitrary commands as the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0494 to this issue. Users of mc should upgrade to this updated package which contains backported patches and is not vulnerable to this issue.