Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 77524 - net-mail/mailman: [CAN-2004-1177] cross-site scripting in scripts/driver
Summary: net-mail/mailman: [CAN-2004-1177] cross-site scripting in scripts/driver
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa] jaervosz
: 74459 (view as bug list)
Depends on:
Reported: 2005-01-11 07:57 UTC by Jean-François Brunette (RETIRED)
Modified: 2005-01-21 16:04 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Jean-François Brunette (RETIRED) gentoo-dev 2005-01-11 07:57:44 UTC
mailman vulnerabilities

Details follow:

Florian Weimer discovered a cross-site scripting vulnerability in
mailman's automatically generated error messages. An attacker could
craft an URL containing JavaScript (or other content embedded into
HTML) which triggered a mailman error page. When an unsuspecting user
followed this URL, the malicious content was copied unmodified to the
error page and executed in the context of this page.

Important note:

There is currently another known vulnerability: when an user
subscribes to a mailing list without choosing a password, mailman
automatically generates one. However, there are only about 5 million
different possible passwords which allows brute force attacks.

A different password generation algorithm already exists, but is
currently too immature to be put into a stable release security
update. Therefore it is advisable to always explicitly choose a
password for subscriptions
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-01-11 07:58:46 UTC
*** Bug 74459 has been marked as a duplicate of this bug. ***
Comment 2 Tuan Van (RETIRED) gentoo-dev 2005-01-11 09:25:13 UTC
our mailman doesn't have 55_options_traceback.dpatch apply.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-13 09:56:19 UTC
The mentioned 55_options_traceback.dpatch in the debian bug report appears unrelated to the reported issue. Updated URI with Ubuntu bug report.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-13 22:15:51 UTC
Upstream fix is located here:

And ChangeLog says:
Close a potential cross-site scripting hole, discovered by Florian Weimer.
Initial patch provided by Florian, modified by Barry.

Also, turn STEALTH_MODE on by default.  Most sites won't change this value
from its default, so we might as well use the more secure option.  Also, if
STEALTH_MODE is turned off, but the websafe() function can't be imported, turn
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-01-15 13:12:07 UTC
net-mail herd: please check and apply patch from comment #4.
Comment 6 Tuan Van (RETIRED) gentoo-dev 2005-01-15 19:22:38 UTC
ebuild with patch commited.
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-16 05:10:30 UTC
Thx Tuan.

Arches please mark mailman-2.1.5-r3 stable.
Comment 8 Jason Wever (RETIRED) gentoo-dev 2005-01-16 13:04:01 UTC
Comment 9 Tuan Van (RETIRED) gentoo-dev 2005-01-16 21:27:55 UTC
x86 done.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-01-19 01:47:27 UTC
I would say this needs a GLSA, because list administration apps are quite accessible and make worthy targets. Furthermore we can do the same as Ubuntu and issue a small warning about the relative autopassword weakness issue (even if it's not worth a vulnerability by itself).
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-19 01:56:56 UTC
I vote for GLSA on this one too, Mailman is pretty widespread.
Comment 12 Karol Wojtaszek (RETIRED) gentoo-dev 2005-01-19 12:57:41 UTC
Stable on amd64
Comment 13 Luke Macken (RETIRED) gentoo-dev 2005-01-21 16:04:36 UTC
GLSA 200501-29