|Summary:||net-mail/mailman: [CAN-2004-1177] cross-site scripting in scripts/driver|
|Product:||Gentoo Security||Reporter:||Jean-François Brunette (RETIRED) <formula7>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||B4 [glsa] jaervosz|
|Package list:||Runtime testing required:||---|
Description Jean-François Brunette (RETIRED) 2005-01-11 07:57:44 UTC
Comment 1 Thierry Carrez (RETIRED) 2005-01-11 07:58:46 UTC
*** Bug 74459 has been marked as a duplicate of this bug. ***
Comment 2 Tuan Van (RETIRED) 2005-01-11 09:25:13 UTC
our mailman doesn't have 55_options_traceback.dpatch apply.
Comment 3 Sune Kloppenborg Jeppesen 2005-01-13 09:56:19 UTC
The mentioned 55_options_traceback.dpatch in the debian bug report appears unrelated to the reported issue. Updated URI with Ubuntu bug report.
Comment 4 Sune Kloppenborg Jeppesen 2005-01-13 22:15:51 UTC
Upstream fix is located here: http://cvs.sourceforge.net/viewcvs.py/mailman/mailman/scripts/driver?r1=22.214.171.124&r2=126.96.36.199&only_with_tag=Release_2_1-maint And ChangeLog says: Close a potential cross-site scripting hole, discovered by Florian Weimer. Initial patch provided by Florian, modified by Barry. Also, turn STEALTH_MODE on by default. Most sites won't change this value from its default, so we might as well use the more secure option. Also, if STEALTH_MODE is turned off, but the websafe() function can't be imported, turn STEALTH_MODE back on.
Comment 5 Thierry Carrez (RETIRED) 2005-01-15 13:12:07 UTC
net-mail herd: please check and apply patch from comment #4.
Comment 6 Tuan Van (RETIRED) 2005-01-15 19:22:38 UTC
ebuild with patch commited.
Comment 7 Sune Kloppenborg Jeppesen 2005-01-16 05:10:30 UTC
Thx Tuan. Arches please mark mailman-2.1.5-r3 stable.
Comment 8 Jason Wever (RETIRED) 2005-01-16 13:04:01 UTC
Comment 9 Tuan Van (RETIRED) 2005-01-16 21:27:55 UTC
Comment 10 Thierry Carrez (RETIRED) 2005-01-19 01:47:27 UTC
I would say this needs a GLSA, because list administration apps are quite accessible and make worthy targets. Furthermore we can do the same as Ubuntu and issue a small warning about the relative autopassword weakness issue (even if it's not worth a vulnerability by itself).
Comment 11 Sune Kloppenborg Jeppesen 2005-01-19 01:56:56 UTC
I vote for GLSA on this one too, Mailman is pretty widespread.
Comment 12 Karol Wojtaszek (RETIRED) 2005-01-19 12:57:41 UTC
Stable on amd64
Comment 13 Luke Macken (RETIRED) 2005-01-21 16:04:36 UTC