Mailman vulnerability
David Eisenstein
deisenst at gtw.net
Sat Oct 7 15:13:52 UTC 2006
----- Original Message -----
From: "Martin Marques" <martin at bugs.unl.edu.ar>
To: <fedora-legacy-list at redhat.com>
Sent: Thursday, October 05, 2006 7:19 AM
Subject: Mailman vulnerability
> I have a FC4 web server installed and got this mailman report:
>
> http://www.securityfocus.com/bid/19831/discuss
>
> Is it to worry?
>
> I am thinking about promoting it to FC5 but as it is a server in
> production I want to make a very good plan first.
>
Hi Martin,
Thanks for writing. Indeed, these are issues that we in Legacy need to
deal with. As far as I can tell, the latest version of mailman released
for FC4 was mailman-2.1.8-9.FC4.1, released around 9-May-2006. The issue
discussed in that securityfocus BID 19831 indicates that mailman-2.1.8 is
vulnerable to those issues.
Red Hat Security Team (in RHSA-2006-0600) has rated two of the three CVE
issues mentioned in BID 19831 as having a moderate security impact:
"A flaw was found in the way Mailman handled MIME multipart mes-
sages. An attacker could send a carefully crafted MIME multipart
email message to a mailing list run by Mailman which caused that
particular mailing list to stop working. (CVE-2006-2941)
"Several cross-site scripting (XSS) issues were found in Mailman.
An attacker could exploit these issues to perform cross-site scrip-
ting attacks against the Mailman administrator. (CVE-2006-3636)"
The third issue is CVE-2006-4624: "CRLF injection vulnerability in
Utils.py in Mailman before 2.1.9rc1 allows remote attackers to spoof
messages in the error log and possibly trick the administrator into
visiting malicious URLs via a carriage return/line feed sequences in the
URI." This issue has been given a low security impact, and hasn't yet
been fixed by Red Hat Enterprise Linux. However, Fedora Core 6 Test 2
upgraded to mailman-2.1.9, which fixes all three problems.
Would you like us to do similarly for FC4/FC3?
Have entered Bug
<https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209891>
for this issue.
Regards,
David Eisenstein
More information about the fedora-legacy-list
mailing list