77524 2005-01-11 07:57 0000 net-mail/mailman: [CAN-2004-1177] cross-site scripting in scripts/driver 2005-01-21 16:04:36 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED https://bugzilla.ubuntu.com/show_bug.cgi?id=5057 B4 [glsa] jaervosz P2 minor --- 1 formula7@gentoo.org security@gentoo.org net-mail@gentoo.org formula7@gentoo.org 2005-01-11 07:57:44 0000 mailman vulnerabilities CAN-2004-1177, http://bugs.debian.org/285839 Details follow: Florian Weimer discovered a cross-site scripting vulnerability in mailman's automatically generated error messages. An attacker could craft an URL containing JavaScript (or other content embedded into HTML) which triggered a mailman error page. When an unsuspecting user followed this URL, the malicious content was copied unmodified to the error page and executed in the context of this page. Important note: There is currently another known vulnerability: when an user subscribes to a mailing list without choosing a password, mailman automatically generates one. However, there are only about 5 million different possible passwords which allows brute force attacks. A different password generation algorithm already exists, but is currently too immature to be put into a stable release security update. Therefore it is advisable to always explicitly choose a password for subscriptions koon@gentoo.org 2005-01-11 07:58:46 0000 *** Bug 74459 has been marked as a duplicate of this bug. *** langthang@gentoo.org 2005-01-11 09:25:13 0000 our mailman doesn't have 55_options_traceback.dpatch apply. jaervosz@gentoo.org 2005-01-13 09:56:19 0000 The mentioned 55_options_traceback.dpatch in the debian bug report appears unrelated to the reported issue. Updated URI with Ubuntu bug report. jaervosz@gentoo.org 2005-01-13 22:15:51 0000 Upstream fix is located here: http://cvs.sourceforge.net/viewcvs.py/mailman/mailman/scripts/driver?r1=2.6.2.1&r2=2.6.2.2&only_with_tag=Release_2_1-maint And ChangeLog says: Close a potential cross-site scripting hole, discovered by Florian Weimer. Initial patch provided by Florian, modified by Barry. Also, turn STEALTH_MODE on by default. Most sites won't change this value from its default, so we might as well use the more secure option. Also, if STEALTH_MODE is turned off, but the websafe() function can't be imported, turn STEALTH_MODE back on. koon@gentoo.org 2005-01-15 13:12:07 0000 net-mail herd: please check and apply patch from comment #4. langthang@gentoo.org 2005-01-15 19:22:38 0000 ebuild with patch commited. jaervosz@gentoo.org 2005-01-16 05:10:30 0000 Thx Tuan. Arches please mark mailman-2.1.5-r3 stable. weeve@gentoo.org 2005-01-16 13:04:01 0000 sparc'd langthang@gentoo.org 2005-01-16 21:27:55 0000 x86 done. koon@gentoo.org 2005-01-19 01:47:27 0000 I would say this needs a GLSA, because list administration apps are quite accessible and make worthy targets. Furthermore we can do the same as Ubuntu and issue a small warning about the relative autopassword weakness issue (even if it's not worth a vulnerability by itself). jaervosz@gentoo.org 2005-01-19 01:56:56 0000 I vote for GLSA on this one too, Mailman is pretty widespread. sekretarz@gentoo.org 2005-01-19 12:57:41 0000 Stable on amd64 lewk@gentoo.org 2005-01-21 16:04:36 0000 GLSA 200501-29