Summary: | net-mail/mailman: [CAN-2004-1177] cross-site scripting in scripts/driver | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Jean-François Brunette (RETIRED) <formula7> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | net-mail+disabled |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | https://bugzilla.ubuntu.com/show_bug.cgi?id=5057 | ||
Whiteboard: | B4 [glsa] jaervosz | ||
Package list: | Runtime testing required: | --- |
Description
Jean-François Brunette (RETIRED)
2005-01-11 07:57:44 UTC
*** Bug 74459 has been marked as a duplicate of this bug. *** our mailman doesn't have 55_options_traceback.dpatch apply. The mentioned 55_options_traceback.dpatch in the debian bug report appears unrelated to the reported issue. Updated URI with Ubuntu bug report. Upstream fix is located here: http://cvs.sourceforge.net/viewcvs.py/mailman/mailman/scripts/driver?r1=2.6.2.1&r2=2.6.2.2&only_with_tag=Release_2_1-maint And ChangeLog says: Close a potential cross-site scripting hole, discovered by Florian Weimer. Initial patch provided by Florian, modified by Barry. Also, turn STEALTH_MODE on by default. Most sites won't change this value from its default, so we might as well use the more secure option. Also, if STEALTH_MODE is turned off, but the websafe() function can't be imported, turn STEALTH_MODE back on. net-mail herd: please check and apply patch from comment #4. ebuild with patch commited. Thx Tuan. Arches please mark mailman-2.1.5-r3 stable. sparc'd x86 done. I would say this needs a GLSA, because list administration apps are quite accessible and make worthy targets. Furthermore we can do the same as Ubuntu and issue a small warning about the relative autopassword weakness issue (even if it's not worth a vulnerability by itself). I vote for GLSA on this one too, Mailman is pretty widespread. Stable on amd64 GLSA 200501-29 |