Mailman vulnerability

David Eisenstein deisenst at gtw.net
Sat Oct 7 15:13:52 UTC 2006 

----- Original Message ----- 
From: "Martin Marques" <martin at bugs.unl.edu.ar>
To: <fedora-legacy-list at redhat.com>
Sent: Thursday, October 05, 2006 7:19 AM
Subject: Mailman vulnerability


> I have a FC4 web server installed and got this mailman report:
> 
> http://www.securityfocus.com/bid/19831/discuss
> 
> Is it to worry?
> 
> I am thinking about promoting it to FC5 but as it is a server in 
> production I want to make a very good plan first.
> 

Hi Martin,

Thanks for writing.  Indeed, these are issues that we in Legacy need to
deal with.  As far as I can tell, the latest version of mailman released
for FC4 was mailman-2.1.8-9.FC4.1, released around 9-May-2006.  The issue
discussed in that securityfocus BID 19831 indicates that mailman-2.1.8 is
vulnerable to those issues.

Red Hat Security Team (in RHSA-2006-0600) has rated two of the three CVE
issues mentioned in BID 19831 as having a moderate security impact:

   "A flaw was found in the way Mailman handled MIME multipart mes-
   sages.  An attacker could send a carefully crafted MIME multipart
   email message to a mailing list run by Mailman which caused that
   particular mailing list to stop working. (CVE-2006-2941)

   "Several cross-site scripting (XSS) issues were found in Mailman.
   An attacker could exploit these issues to perform cross-site scrip-
   ting attacks against the Mailman administrator. (CVE-2006-3636)"

The third issue is CVE-2006-4624: "CRLF injection vulnerability in
Utils.py in Mailman before 2.1.9rc1 allows remote attackers to spoof
messages in the error log and possibly trick the administrator into
visiting malicious URLs via a carriage return/line feed sequences in the
URI."  This issue has been given a low security impact, and hasn't yet
been fixed by Red Hat Enterprise Linux.  However, Fedora Core 6 Test 2
upgraded to mailman-2.1.9, which fixes all three problems.

Would you like us to do similarly for FC4/FC3?

Have entered Bug 
   <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209891>
for this issue.

        Regards,
        David Eisenstein

More information about the fedora-legacy-list mailing list