[Mailman-Developers] Patches in mandriva package
Tokio Kikuchi
tkikuchi at is.kochi-u.ac.jp
Tue Sep 12 07:16:27 CEST 2006
Hi,
Sorry that I was unable to respond.
Barry Warsaw wrote:
> On Sep 9, 2006, at 10:09 AM, Guillaume Rousse wrote:
>
>> I'd like to use this occasion to drop a maximum of patches we still
>> have:
>> - is 2.1.9 still vulnearble to CVE-2005-3573 ? I didn't found any
>> reference to it in the release notes, and the patch [1] still apply
>
> This is the first I've seen of this CVE, but it sounds like bugs that
> have been addressed in the email package.
This is mentioned in the NEWS of version 2.1.7.
- A note on CVE-2005-3573: Although the RFC2231 bug example in the CVE has
been solved in Mailman 2.1.6, there may be more cases where
ToDigest.send_digests() can block regular delivery. We put the
send_digests() calling part in a try/except clause and leave a message
in the error log if something happened in send_digests(). Daily call of
cron/senddigests will provide more detail to the site administrator.
Therefore, 2.1.9 is also not vulnerable. CVE-2005-3573 is a false
(delayed) alert.
--
Tokio Kikuchi tkikuchi at is.kochi-u.ac.jp
http://weather.is.kochi-u.ac.jp/
More information about the Mailman-Developers
mailing list