[Mailman-Users] Question about Security Bulletin

Barry Finkel b19141 at britaine.ctd.anl.gov
Mon Sep 11 14:59:44 CEST 2006 

There was a CIAC bulletin last week pertaining to Mailman:

            __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                            Mailman Security Update
                          [Red Hat RHSA-2006:0600-11]

September 7, 2006 17:00 GMT                                       Number Q-305
______________________________________________________________________________
PROBLEM:       There are several security vulnerabilities in Mailman: 
               1) A flaw was found in the way Mailman handled MIME multipart 
                  messages; and 
			   2) Several cross-site scripting (XSS) issues were found in Mailman. 
PLATFORM:      Red Hat Desktop (v. 3 & v. 4) 
               Red Hat Enterprise Linux AS, ES, WS (v. 3 & v. 4) 
DAMAGE:        1) An attacker could send a carefully crafted MIME multipart 
               email message to a mailing list run by Mailman which caused 
               that particular mailing list to stop working; and 2) An 
               attacker could exploit these issues to perform cross-site 
               scripting attacks against the Mailman administrator. 
SOLUTION:      Upgrade to the appropriate version. 
______________________________________________________________________________
VULNERABILITY  The risk is LOW. 1) An attacker could send a carefully crafted 
ASSESSMENT:    MIME multipart email message to a mailing list run by Mailman 
               which caused that particular mailing list to stop working; and 
               2) An attacker could exploit these issues to perform cross-site 
               scripting attacks against the Mailman administrator. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/q-305.shtml 
 ORIGINAL BULLETIN:  Red Hat RHSA-2006:0600-11
                     https://rhn.redhat.com/errata/RHSA-2006-0600.html 
 CVE:                http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= 
                     CVE-2006-2941 CVE-2006-3636 
______________________________________________________________________________


-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition

iQCVAwUBRQBb0LnzJzdsy3QZAQHXHQQA0WW54tTmbOx4SVn207LrpISwkdfGShOx
jSoRgLWiUoSeSN2YQGz0NqqemkyTDARObvDZwIH7NiTfATaTHDZCldvDbZaMTREp
FpvHgrwmO38sKPvh0tuMoET92A7WBxsZ6RGnVw6Ck6lDttVBFoZiu0RM0gDAKsnZ
/DnCz3pYvss=
=DBSM
-----END PGP SIGNATURE-----

This bulletin only mentions Red Hat.  Does the bulletin apply only
to Red Hat distributions, or does it apply to all Mailman distributions?
The links mention 

     mailman-2.1.5.1-25.rhel3.7.src.rpm

Is this a problem that only affects 2.1.5, or does it affect subsequent
versions of Mailman?  Thanks.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994

More information about the Mailman-Users mailing list