Summary: | net-mail/mailman DoS, XSS, log spoofing (CVE-2006-2941|3636) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | hanno, hncaldwell, net-mail+disabled, tcort | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | B3 [glsa] jaervosz | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Sune Kloppenborg Jeppesen (RETIRED)
2006-07-11 02:56:36 UTC
Created attachment 91439 [details, diff]
mailman-scrubber.patch
hanno please advise and attach an updated ebuild to this bug if you want stable testing before the disclosure date. Hi, this doesn't apply to the latest 2.1.8-mailman. For which version is this patch? forget the patch. python is also involved, the embargo date has been extended. it seems like there will be new python/email module version and mailman 2.9.1, which also fixes some XSS issues. I'll try to keep you updated, altough I cant promise. Public now, from Secunia : http://secunia.com/advisories/21732/ "SOLUTION: The vulnerabilities have been fixed in version 2.1.9rc1 and will also be fixed in the upcoming 2.1.9 version soon." Hanno, you should be able to find mailman-2.1.9rc1 on the mailman websites, e.g.: http://sourceforge.net/project/showfiles.php?group_id=103 cheers Pulling in herd. Please provide an updated ebuild. Bumped to 2.1.9_rc1, pretty much the same as 2.1.8_rc1. Archs please stabilize ppc stable If there's a glsa you might want to add a note about the changed SLOT.
> If there's a glsa you might want to add a note about the changed SLOT.
>
i don't know but i'll vote for a GLSA and i'll try to remember of your comment if necessary.
1.) compiles on x86 dodoc: contrib/mm-handler.readme does not exist 2.) passes collision-test (didn't do any further testing) emerge --info Portage 2.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.18-rc6 i686) ================================================================= System uname: 2.6.18-rc6 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz Gentoo Base System version 1.12.4 ccache version 2.3 [disabled] app-admin/eselect-compiler: [Not Present] dev-lang/python: 2.3.5-r2, 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r5 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-Os -march=prescott -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-Os -march=prescott -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LINGUAS="en de en_GB de_CH" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://192.168.2.1/gentoo-portage" USE="x86 X acpi alsa asf avi berkdb bitmap-fonts cairo cdr cdrom cli crypt cups dbus divx dlloader dri dts dvd dvdr eds emboss encode fam ffmpeg firefox fortran gdbm gif gnome gpm gstreamer gtk hal ipv6 isdnlog java jpeg kde ldap libg++ mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre pdflib perl png ppds pppd python qt3 qt4 quicktime readline reflection samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd tetex threads truetype truetype-fonts type1-fonts udev unicode vcd vorbis win32codecs xine xml xorg xprint xv xvid zlib elibc_glibc input_devices_keyboard input_devices_mouse kernel_linux linguas_en linguas_de linguas_en_GB linguas_de_CH userland_GNU video_cards_i810 video_cards_fbdev video_cards_vesa" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY x86 stable ^_^ SPARC stable amd64 stable. Sorry this one slipped under my radar. This one is ready for GLSA vote. I vote YES. yes++ Then let's have a GLSA on this one. Thx everyone. GLSA 200609-12 *** Bug 199306 has been marked as a duplicate of this bug. *** |