Bug 208710 (CVE-2008-0564)

Summary:

net-mail/mailman < 2.1.9-r3 XSS issues (CVE-2008-0564)

Product:

Gentoo Security

Reporter:

Tobias Scherbaum (RETIRED) <dertobi123>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

minor

CC:

hanno, net-mail+disabled

Priority:

High

Version:

unspecified

Hardware:

All

OS:

Linux

URL:

http://mail.python.org/pipermail/mailman-announce/2008-February/000095.html

Whiteboard:

B4 [noglsa]

Package list:

Runtime testing required:

---

Attachments:

Description	Flags
mailman-2.1.9-fix-XSS.patch	none

Description Tobias Scherbaum (RETIRED) gentoo-dev

2008-02-03 09:50:13 UTC

Quoting the announcement [1]:

"I am happy to announce the second beta release of Mailman 2.1.10. For
technical reasons, there was no 'b2' release.

This is a security and bug fix release and it is highly recommended
that all sites upgrade to this version.  Mailman 2.1.10 also adds support
for two new language translations, Hebrew and Slovak and a few new features.

[...]

~  Security

~    - The 2.1.9 fixes for CVE-2006-3636 have been enhanced.  In particular,
~      many potential cross-site scripting attacks have are now detected in
~      editing templates and updating the list's info attribute via the web
~      admin interface.  Thanks again to Moritz Naumann for assistance with
~      this."

Note that while speaking of 2.1.10b1 in the initial announcement the new released version is 2.1.10b3 according to [2].

[1] http://mail.python.org/pipermail/mailman-announce/2008-February/000095.html
[2] http://mail.python.org/pipermail/mailman-announce/2008-February/000096.html

Comment 1 Jonathan Smith (RETIRED) gentoo-dev

2008-02-05 08:52:17 UTC

CVE-2008-0564 has been allocated for these issues.

Comment 2 Jonathan Smith (RETIRED) gentoo-dev

2008-02-05 08:54:00 UTC

Created attachment 142699 [details, diff]
mailman-2.1.9-fix-XSS.patch

Oh, also, if $MAINTAINER doesn't want to update to a beta release (I wouldn't), I'm attaching a patch which was given to me by upstream to fix the issue.

Comment 3 Hanno Böck gentoo-dev

2008-02-05 11:24:16 UTC

Added -r3. Archs, please go ahead.

Note that this introduces the "reworked" mailman-ebuild, which installs into fhs-compliant locations and can be configured much better.

Comment 4 Dawid Węgliński (RETIRED) gentoo-dev

2008-02-05 13:12:26 UTC

 * An example Mailman configuration file for Apache has been installed into:
 *   /50_mailman.conf

There's missing ${APACHE_MODULES_CONFDIR} variable (missing eclass?)

x86 stable

Comment 5 Robert Buchholz (RETIRED) gentoo-dev

2008-02-05 13:14:38 UTC

Arches, please test and mark stable:
=net-mail/mailman-2.1.9-r3
Target keywords : "amd64 ppc release sparc x86"

Comment 6 Robert Buchholz (RETIRED) gentoo-dev

2008-02-05 13:15:06 UTC

sorry, removing x86 again.

Comment 7 Hanno Böck gentoo-dev

2008-02-06 11:48:26 UTC

amd64 done

Comment 8 Raúl Porcel (RETIRED) gentoo-dev

2008-02-07 13:51:36 UTC

sparc stable

Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev

2008-02-07 18:30:44 UTC

ppc stable plus re-adding amd64.

Comment 10 Hanno Böck gentoo-dev

2008-02-08 13:14:33 UTC

Seems I've stabilized amd64 in my local cvs tree without committing...

Now done. Security, please go ahead with glsa.

Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2008-02-10 14:50:39 UTC

This one is ready for GLSA vote. I tend to vote NO.

Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-02-10 15:36:44 UTC

voting NO, and I close even if we don't have 2 full NO votes since it's XSS. feel free to reopen if you disagree.

Comment 13 Hanno Böck gentoo-dev

2008-02-12 20:56:12 UTC

Erh? Yes, it's an XSS and thus it can be used to steal accounts, which is a major issue. Why shouldn't this cause a GLSA??

Vote YES (if my opinion as the package maintainer counts) and volunteer to write the glsa if neccessary.

Comment 14 Robert Buchholz (RETIRED) gentoo-dev

2008-02-12 21:00:59 UTC

Is it a persistent or non-persistent XSS? Non-persistent issues usually do not get GLSA'd.

Comment 15 Peter Volkov (RETIRED) gentoo-dev

2008-02-23 18:15:11 UTC

Fixed in release snapshot.