mailman vulnerabilities CAN-2004-1177, http://bugs.debian.org/285839 Details follow: Florian Weimer discovered a cross-site scripting vulnerability in mailman's automatically generated error messages. An attacker could craft an URL containing JavaScript (or other content embedded into HTML) which triggered a mailman error page. When an unsuspecting user followed this URL, the malicious content was copied unmodified to the error page and executed in the context of this page. Important note: There is currently another known vulnerability: when an user subscribes to a mailing list without choosing a password, mailman automatically generates one. However, there are only about 5 million different possible passwords which allows brute force attacks. A different password generation algorithm already exists, but is currently too immature to be put into a stable release security update. Therefore it is advisable to always explicitly choose a password for subscriptions
*** Bug 74459 has been marked as a duplicate of this bug. ***
our mailman doesn't have 55_options_traceback.dpatch apply.
The mentioned 55_options_traceback.dpatch in the debian bug report appears unrelated to the reported issue. Updated URI with Ubuntu bug report.
Upstream fix is located here: http://cvs.sourceforge.net/viewcvs.py/mailman/mailman/scripts/driver?r1=2.6.2.1&r2=2.6.2.2&only_with_tag=Release_2_1-maint And ChangeLog says: Close a potential cross-site scripting hole, discovered by Florian Weimer. Initial patch provided by Florian, modified by Barry. Also, turn STEALTH_MODE on by default. Most sites won't change this value from its default, so we might as well use the more secure option. Also, if STEALTH_MODE is turned off, but the websafe() function can't be imported, turn STEALTH_MODE back on.
net-mail herd: please check and apply patch from comment #4.
ebuild with patch commited.
Thx Tuan. Arches please mark mailman-2.1.5-r3 stable.
sparc'd
x86 done.
I would say this needs a GLSA, because list administration apps are quite accessible and make worthy targets. Furthermore we can do the same as Ubuntu and issue a small warning about the relative autopassword weakness issue (even if it's not worth a vulnerability by itself).
I vote for GLSA on this one too, Mailman is pretty widespread.
Stable on amd64
GLSA 200501-29
