Mailman 2.1.4 through 2.1.6 allows remote attackers to cause a denial of service via a message that causes the server to "fail with an Overflow on bad date data in a processed message," a different vulnerability than CVE-2005-3573.
net-mail please advise.
Can't tell if 2.1.7 includes the fix for this one... but in all cases looks like a good security bump. 2.1.7 (31-Dec-2005) Security - The fix for CAN-2005-0202 has been enhanced to issue an appropriate message instead of just quietly dropping ./ and ../ from URLs. - A note on CVE-2005-3573: Although the RFC2231 bug example in the CVE has been solved in Mailman 2.1.6, there may be more cases where ToDigest.send_digests() can block regular delivery. We put the send_digests() calling part in a try/except clause and leave a message in the error log if something happened in send_digests(). Daily call of cron/senddigests will provide more detail to the site administrator. - List administrators can no longer change the user's option/subscription globally. Site admin can change these only if mm_cfg.ALLOW_SITE_ADMIN_COOKIES is set to Yes. - Script tags are HTML-escaped in the edithtml CGI script. - Since the probe message for disabled users may reach unintended recipients, the password is excluded from sendProbe() and probe.txt. Note that the default value of VERP_PROBE has been set to `No' from 2.1.6., thus this change doesn't affect the default behavior.
net-mail please provide an updated ebuild.
sorry for the late reply because mailman has been maintained by mholzer lately. We are waiting for hos response. Anyway, mailman-2.1.17 has been in the tree for quite some time. *mailman-2.1.7 (03 Jan 2006) 03 Jan 2006; Martin Holzer <mholzer@gentoo.org> +files/mailman-2.1.7-directory-check.patch, +mailman-2.1.7.ebuild: Version bumped. best regards, Tuan Van
Langthang sorry for not checking. Arches please test and mark stable.
amd64 stable
x86 is done...
SPARC'd
Ready for glsa vote
Without more I tend to say no.
1/2 no from me, too. Make it a full no if needed.
Closing. Feel free to reopen if you intended to vote yes.