Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 208710 (CVE-2008-0564) - net-mail/mailman < 2.1.9-r3 XSS issues (CVE-2008-0564)
Summary: net-mail/mailman < 2.1.9-r3 XSS issues (CVE-2008-0564)
Alias: CVE-2008-0564
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
Depends on:
Reported: 2008-02-03 09:50 UTC by Tobias Scherbaum (RETIRED)
Modified: 2008-02-23 18:15 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

mailman-2.1.9-fix-XSS.patch (mailman-2.1.9-fix-XSS.patch,11.02 KB, patch)
2008-02-05 08:54 UTC, Jonathan Smith (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Scherbaum (RETIRED) gentoo-dev 2008-02-03 09:50:13 UTC
Quoting the announcement [1]:

"I am happy to announce the second beta release of Mailman 2.1.10. For
technical reasons, there was no 'b2' release.

This is a security and bug fix release and it is highly recommended
that all sites upgrade to this version.  Mailman 2.1.10 also adds support
for two new language translations, Hebrew and Slovak and a few new features.


~  Security

~    - The 2.1.9 fixes for CVE-2006-3636 have been enhanced.  In particular,
~      many potential cross-site scripting attacks have are now detected in
~      editing templates and updating the list's info attribute via the web
~      admin interface.  Thanks again to Moritz Naumann for assistance with
~      this."

Note that while speaking of 2.1.10b1 in the initial announcement the new released version is 2.1.10b3 according to [2].

Comment 1 Jonathan Smith (RETIRED) gentoo-dev 2008-02-05 08:52:17 UTC
CVE-2008-0564 has been allocated for these issues.
Comment 2 Jonathan Smith (RETIRED) gentoo-dev 2008-02-05 08:54:00 UTC
Created attachment 142699 [details, diff]

Oh, also, if $MAINTAINER doesn't want to update to a beta release (I wouldn't), I'm attaching a patch which was given to me by upstream to fix the issue.
Comment 3 Hanno Böck gentoo-dev 2008-02-05 11:24:16 UTC
Added -r3. Archs, please go ahead.

Note that this introduces the "reworked" mailman-ebuild, which installs into fhs-compliant locations and can be configured much better.
Comment 4 Dawid Węgliński (RETIRED) gentoo-dev 2008-02-05 13:12:26 UTC
 * An example Mailman configuration file for Apache has been installed into:
 *   /50_mailman.conf

There's missing ${APACHE_MODULES_CONFDIR} variable (missing eclass?)

x86 stable
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-02-05 13:14:38 UTC
Arches, please test and mark stable:
Target keywords : "amd64 ppc release sparc x86"
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-02-05 13:15:06 UTC
sorry, removing x86 again.
Comment 7 Hanno Böck gentoo-dev 2008-02-06 11:48:26 UTC
amd64 done
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2008-02-07 13:51:36 UTC
sparc stable
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2008-02-07 18:30:44 UTC
ppc stable plus re-adding amd64.
Comment 10 Hanno Böck gentoo-dev 2008-02-08 13:14:33 UTC
Seems I've stabilized amd64 in my local cvs tree without committing...

Now done. Security, please go ahead with glsa.
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-10 14:50:39 UTC
This one is ready for GLSA vote. I tend to vote NO.
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-02-10 15:36:44 UTC
voting NO, and I close even if we don't have 2 full NO votes since it's XSS. feel free to reopen if you disagree.
Comment 13 Hanno Böck gentoo-dev 2008-02-12 20:56:12 UTC
Erh? Yes, it's an XSS and thus it can be used to steal accounts, which is a major issue. Why shouldn't this cause a GLSA??

Vote YES (if my opinion as the package maintainer counts) and volunteer to write the glsa if neccessary.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2008-02-12 21:00:59 UTC
Is it a persistent or non-persistent XSS? Non-persistent issues usually do not get GLSA'd.
Comment 15 Peter Volkov (RETIRED) gentoo-dev 2008-02-23 18:15:11 UTC
Fixed in release snapshot.