LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: September 15th, 2014
Linux Security Week: September 8th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Fedora Core 2 Update: mailman-2.1.5-10.fc2 Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Fedora A cross-site scripting (XSS) flaw in the driver script of mailman prior to version 2.1.5 could allow remote attackers to execute scripts as other web users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1177 to this issue. Users of mailman should update to this erratum package, which corrects this issue by turning on STEALTH_MODE by default and using Utils.websafe() to quote the html.
---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-241
2005-03-22
---------------------------------------------------------------------

Product     : Fedora Core 2
Name        : mailman
Version     : 2.1.5                      
Release     : 10.fc2                  
Summary     : Mailing list manager with built in Web access.
Description :
Mailman is software to help manage email discussion lists, much like
Majordomo and Smartmail. Unlike most similar products, Mailman gives
each mailing list a webpage, and allows users to subscribe,
unsubscribe, etc. over the Web. Even the list manager can administer
his or her list entirely from the Web. Mailman also integrates most
things people want to do with mailing lists, including archiving, mail
<-> news gateways, and so on.

Documentation can be found in: /usr/share/doc/mailman-2.1.5

When the package has finished installing, you will need to perform some
additional installation steps, these are described in:
/usr/share/doc/mailman-2.1.5/INSTALL.REDHAT

---------------------------------------------------------------------
Update Information:

A cross-site scripting (XSS) flaw in the driver script of mailman
prior to version 2.1.5 could allow remote attackers to execute scripts
as other web users. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-1177 to this issue.

Users of mailman should update to this erratum package, which corrects
this issue by turning on STEALTH_MODE by default and using
Utils.websafe() to quote the html.

---------------------------------------------------------------------
* Mon Mar 21 2005 John Dennis  - 3:2.1.5-10.fc2

- fix bug #147833, CAN-2004-1177

* Mon Feb 14 2005 John Dennis  - 3:2.1.5-9.fc2

- fix bug #147856, moderator -1 admin requests pending

* Tue Feb  8 2005 John Dennis  - 3:2.1.5-8.fc2

- fix security vulnerability CAN-2005-0202, errata RHSA-2005:136, bug #147343

* Wed Jun  9 2004 John Dennis  - 3:2.1.5-6

- fix bug in pre scriplet, last command had been "service mailman stop"
- bump rev for rebuild
  which should have been harmless if mailman was not installed except
  that it left the exit status from the script as non-zero and rpm
  aborted the install.

* Wed Jun  9 2004 John Dennis  - 3:2.1.5-5

- add status reporting to init.d control script
  stop mailman during an installation
  restart mailman if it had been running prior to installation

* Mon Jun  7 2004 John Dennis  - 3:2.1.5-4

- back python prereq down to 2.2, should be sufficient

* Thu May 20 2004 John Dennis  3:2.1.5-3

- make python prereq be at least 2.3

* Tue May 18 2004 Jeremy Katz  3:2.1.5-2

- rebuild

* Mon May 17 2004 John Dennis  3:2.1.5-1

- bring up to latest 2.1.5 upstream release
  From Barry Warsaw: Mailman 2.1.5, a bug fix release that also
  contains new support for the Turkish language, and a few minor new
  features. Mailman 2.1.5 is a significant upgrade which should
  improve disk i/o performance, administrative overhead for discarding
  held spams, and the behavior of bouncing member disables.  This
  version also contains a fix for an exploit that could allow 3rd
  parties to retrieve member passwords.  It is thus highly recommended
  that all existing sitesupgrade to the latest version

* Tue May  4 2004 Warren Togami  3:2.1.4-4

- #105638 fix bytecompile and rpm -V
- postun /etc/postfix/aliases fix
- clean uninstall (no more empty dirs)
- #115378 RedirectMatch syntax fix

* Fri Feb 13 2004 Elliot Lee 

- rebuilt

* Fri Jan  9 2004 John Dennis  3:2.1.4-1

- upgrade to new upstream release 2.1.4
- fixes bugs 106349,112851,105367,91463

* Wed Jun  4 2003 Elliot Lee 

- rebuilt

* Wed May  7 2003 John Dennis 

- bring up to next upstream release 2.1.2

* Sun May  4 2003 Florian La Roche 

- fix typo in post script: mmusr -> mmuser

* Thu Apr 24 2003 John Dennis 

- fix bug 72004, 74483, 74484, 87856 - improper log rotation
- fix bug 88083 - mailman user/group needed to exist during build
- fix bug 88144 - wrong %file attributes on mm_cfg.py
- fix bug 89221 - mailman user not created on install
- fix bug 89250 - wrong pid file name in initscript

* Wed Mar  5 2003 Florian La Roche 

- change to /etc/rc.d/init.d as in all other rpms

* Thu Feb 20 2003 John Dennis 

- change mailman login shell from /bin/false to /sbin/nologin

* Fri Feb 14 2003 John Dennis 

- bring package up to 2.1.1 release, add /usr/share/doc files

* Sat Feb  1 2003 Florian La Roche 

- make the icon dir owned by root:root as in other rpms

* Fri Jan 31 2003 John Dennis 

- various small tweaks to the spec file to make installation cleaner
- use /usr/bin/python when compiling, redirect compile output to /dev/null,
- don't run update in %post, let the user do it, remove the .pyc files in %postun,
- add setting of MAILHOST and URLHOST to localhost.localdomain, don't let
- configure set them to the build machine.

* Mon Jan 27 2003 John Dennis 

- add the cross site scripting (xss) security patch to version 2.1

* Fri Jan 24 2003 John Dennis 

- do not start mailman service in %post

* Wed Jan 22 2003 Tim Powers 

- rebuilt

* Mon Jan 20 2003 John Dennis 

- 1) remove config patch, mailmanctl was not the right file to install in init.d,
- it needed to be scripts/mailman
- 2) rename httpd-mailman.conf to mailman.conf, since the file now lives
- in httpd/conf.d directory the http prefix is redundant and inconsistent
- with the other file names in that directory.

* Tue Jan  7 2003 John Dennis 

- Bring package up to date with current upstream source, 2.1
- Fix several install/packaging problems that were in upstream source
- Add multiple mail group functionality
- Fix syntax error in fblast.py
- Remove the forced setting of mail host and url host in mm_cfg.py

* Tue Nov 12 2002 Tim Powers  2.0.13-4

- remove files from $$RPM_BUILD_ROOT that we don't intent to ship

* Wed Aug 14 2002 Nalin Dahyabhai  2.0.13-3

- set MAILHOST and WWWHOST in case the configure script can't figure out the
  local host name

* Fri Aug  2 2002 Nalin Dahyabhai  2.0.13-2

- rebuild

* Fri Aug  2 2002 Nalin Dahyabhai  2.0.13-1

- specify log files individually, per faq wizard
- update to 2.0.13

* Wed May 22 2002 Nalin Dahyabhai  2.0.11-1

- update to 2.0.11

* Fri Apr  5 2002 Nalin Dahyabhai  2.0.9-1

- include README.QMAIL in with the docs (#58887)
- include README.SENDMAIL and README.EXIM in with the docs
- use an included httpd.conf file instead of listing the configuration
  directives in the %description, which due to specspo magic might look
  wrong sometimes (part of #51324)
- interpolate the DEFAULT_HOST_NAME value in mm.cfg into both the DEFAULT_URL
  and MAILMAN_OWNER (#57987)
- move logs to /var/log/mailman, qfiles to /var/spool/mailman, rotate
  logs in the log directory (#48724)
- raise exceptions when someone tries to set the admin address for a list
  to that of the admin alias (#61468)

* Thu Apr  4 2002 Nalin Dahyabhai 

- fix a default permissions problem in /var/mailman/archives/private,
  reported by Johannes Erdfelt
- update to 2.0.9

* Tue Apr  2 2002 Nalin Dahyabhai 

- make the symlink in /etc/smrsh relative

* Tue Dec 11 2001 Nalin Dahyabhai  2.0.8-1

- set FQDN and URL at build-time so that they won't be set to the host the
  RPM package is built on (#59177)

* Wed Nov 28 2001 Nalin Dahyabhai 

- update to 2.0.8

* Sat Nov 17 2001 Florian La Roche  2.0.7-1

- update to 2.0.7

* Wed Jul 25 2001 Nalin Dahyabhai  2.0.6-1

- update to 2.0.6

* Mon Jun 25 2001 Nalin Dahyabhai 

- code in default user/group names/IDs

* Wed May 30 2001 Nalin Dahyabhai 

- update to 2.0.5
- change the default hostname from localhost to localhost.localdomain in the
  default configuration
- chuck configuration file settings other than those dependent on the host name
  (the build system's host name is not a good default)  (#32337)

* Tue Mar 13 2001 Nalin Dahyabhai 

- update to 2.0.3

* Tue Mar  6 2001 Nalin Dahyabhai 

- update to 2.0.2

* Wed Feb 21 2001 Nalin Dahyabhai 

- patch from Barry Warsaw (via mailman-developers) to not die on
  broken Content-Type: headers

* Tue Jan  9 2001 Nalin Dahyabhai 

- update to 2.0.1

* Wed Dec  6 2000 Nalin Dahyabhai 

- update to 2.0 final release
- move the data to /var

* Fri Oct 20 2000 Nalin Dahyabhai 

- update to beta 6

* Thu Aug  3 2000 Nalin Dahyabhai 

- add note about adding FollowSymlinks so that archives work

* Wed Aug  2 2000 Nalin Dahyabhai 

- make the default owner root again so that root owns the docs
- update to 2.0beta5, which fixes a possible security vulnerability
- add smrsh symlink

* Mon Jul 24 2000 Prospector 

- rebuilt

* Wed Jul 19 2000 Nalin Dahyabhai 

- update to beta4
- change uid/gid to apache.apache to match apache (#13593)
- properly recompile byte-compiled versions of the scripts (#13619)
- change mailman alias from root to postmaster

* Sat Jul  1 2000 Nalin Dahyabhai 

- update to beta3
- drop bugs and arch patches (integrated into beta3)

* Tue Jun 27 2000 Nalin Dahyabhai 

- move web files to reside under /var/www
- move files from /usr/share to /usr/share
- integrate spot-fixes from mailman lists via gnome.org

* Mon Jun 19 2000 Nalin Dahyabhai 

- rebuild for Power Tools

* Tue May 23 2000 Nalin Dahyabhai 

- Update to 2.0beta2 to pick up security fixes.
- Change equires python to list >= 1.5.2

* Mon Nov  8 1999 Bernhard Rosenkranzer 

- 1.1

* Tue Sep 14 1999 Preston Brown 

- 1.0 final.

* Tue Jun 15 1999 Preston Brown 

- security fix for cookies
- moved to /usr/share/mailman

* Fri May 28 1999 Preston Brown 

- fix up default values.

* Fri May  7 1999 Preston Brown 

- modifications to install scripts

* Thu May  6 1999 Preston Brown 

- initial RPM for SWS 3.0


---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

898fb9a008e82e26614d157bc6178244  SRPMS/mailman-2.1.5-10.fc2.src.rpm
69e2626ff50b3a1c71ef758a3724a5bb  x86_64/mailman-2.1.5-10.fc2.x86_64.rpm
9aa5111f6bd88033bebfc67d329b7679  x86_64/debug/mailman-debuginfo-2.1.5-10.fc2.x86_64.rpm
2bb2085fd024b45215d43d0c17dc05f4  i386/mailman-2.1.5-10.fc2.i386.rpm
088c601b4fd076b933128a398810f7b7  i386/debug/mailman-debuginfo-2.1.5-10.fc2.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
---------------------------------------------------------------------


-- 
John Dennis 


--
fedora-announce-list mailing list
fedora-announce-list@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-announce-list
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Today's Security Hacks Are After More Than Bank Info
How Boston Children's Hospital Hit Back at Anonymous
SNMP DDoS Scans Spoof Google Public DNS Server
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.