12 Sep
2006
12 Sep
'06
7:16 a.m.
Tokio Kikuchi wrote:
Hi,
Sorry that I was unable to respond.
Barry Warsaw wrote:
On Sep 9, 2006, at 10:09 AM, Guillaume Rousse wrote:
I'd like to use this occasion to drop a maximum of patches we still have:
- is 2.1.9 still vulnearble to CVE-2005-3573 ? I didn't found any reference to it in the release notes, and the patch [1] still apply
This is the first I've seen of this CVE, but it sounds like bugs that have been addressed in the email package.
This is mentioned in the NEWS of version 2.1.7.
- A note on CVE-2005-3573: Although the RFC2231 bug example in the CVE has been solved in Mailman 2.1.6, there may be more cases where ToDigest.send_digests() can block regular delivery. We put the send_digests() calling part in a try/except clause and leave a message in the error log if something happened in send_digests(). Daily call of cron/senddigests will provide more detail to the site administrator.
Therefore, 2.1.9 is also not vulnerable. CVE-2005-3573 is a false (delayed) alert. Thanks, I'll remove it.