Florian Weimer discovered a cross-site scripting vulnerability in
mailman's automatically generated error messages. An attacker could
HTML) which triggered a mailman error page. When an unsuspecting user
followed this URL, the malicious content was copied unmodified to the
error page and executed in the context of this page.
There is currently another known vulnerability: when an user
subscribes to a mailing list without choosing a password, mailman
automatically generates one. However, there are only about 5 million
different possible passwords which allows brute force attacks.
A different password generation algorithm already exists, but is
currently too immature to be put into a stable release security
update. Therefore it is advisable to always explicitly choose a
password for subscriptions
*** Bug 74459 has been marked as a duplicate of this bug. ***
our mailman doesn't have 55_options_traceback.dpatch apply.
The mentioned 55_options_traceback.dpatch in the debian bug report appears unrelated to the reported issue. Updated URI with Ubuntu bug report.
Upstream fix is located here:
And ChangeLog says:
Close a potential cross-site scripting hole, discovered by Florian Weimer.
Initial patch provided by Florian, modified by Barry.
Also, turn STEALTH_MODE on by default. Most sites won't change this value
from its default, so we might as well use the more secure option. Also, if
STEALTH_MODE is turned off, but the websafe() function can't be imported, turn
STEALTH_MODE back on.
net-mail herd: please check and apply patch from comment #4.
ebuild with patch commited.
Arches please mark mailman-2.1.5-r3 stable.
I would say this needs a GLSA, because list administration apps are quite accessible and make worthy targets. Furthermore we can do the same as Ubuntu and issue a small warning about the relative autopassword weakness issue (even if it's not worth a vulnerability by itself).
I vote for GLSA on this one too, Mailman is pretty widespread.
Stable on amd64