[Mailman-Users] Question about Security Bulletin
Barry Finkel
b19141 at britaine.ctd.anl.gov
Mon Sep 11 14:59:44 CEST 2006
There was a CIAC bulletin last week pertaining to Mailman:
__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Mailman Security Update
[Red Hat RHSA-2006:0600-11]
September 7, 2006 17:00 GMT Number Q-305
______________________________________________________________________________
PROBLEM: There are several security vulnerabilities in Mailman:
1) A flaw was found in the way Mailman handled MIME multipart
messages; and
2) Several cross-site scripting (XSS) issues were found in Mailman.
PLATFORM: Red Hat Desktop (v. 3 & v. 4)
Red Hat Enterprise Linux AS, ES, WS (v. 3 & v. 4)
DAMAGE: 1) An attacker could send a carefully crafted MIME multipart
email message to a mailing list run by Mailman which caused
that particular mailing list to stop working; and 2) An
attacker could exploit these issues to perform cross-site
scripting attacks against the Mailman administrator.
SOLUTION: Upgrade to the appropriate version.
______________________________________________________________________________
VULNERABILITY The risk is LOW. 1) An attacker could send a carefully crafted
ASSESSMENT: MIME multipart email message to a mailing list run by Mailman
which caused that particular mailing list to stop working; and
2) An attacker could exploit these issues to perform cross-site
scripting attacks against the Mailman administrator.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-305.shtml
ORIGINAL BULLETIN: Red Hat RHSA-2006:0600-11
https://rhn.redhat.com/errata/RHSA-2006-0600.html
CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=
CVE-2006-2941 CVE-2006-3636
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition
iQCVAwUBRQBb0LnzJzdsy3QZAQHXHQQA0WW54tTmbOx4SVn207LrpISwkdfGShOx
jSoRgLWiUoSeSN2YQGz0NqqemkyTDARObvDZwIH7NiTfATaTHDZCldvDbZaMTREp
FpvHgrwmO38sKPvh0tuMoET92A7WBxsZ6RGnVw6Ck6lDttVBFoZiu0RM0gDAKsnZ
/DnCz3pYvss=
=DBSM
-----END PGP SIGNATURE-----
This bulletin only mentions Red Hat. Does the bulletin apply only
to Red Hat distributions, or does it apply to all Mailman distributions?
The links mention
mailman-2.1.5.1-25.rhel3.7.src.rpm
Is this a problem that only affects 2.1.5, or does it affect subsequent
versions of Mailman? Thanks.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 222, Room D209 Internet: BSFinkel at anl.gov
Argonne, IL 60439-4828 IBMMAIL: I1004994
More information about the Mailman-Users
mailing list