This update fixes the following vulnerabilities for Conectiva Linux
9:
1) Cross site scripting vulnerability in the admin CGI script
(CAN-2003-0965)[2]
2) Cross site scripting vulnerability in the create CGI script
(CAN-2003-0992)[3]
3) Remote password retrieval vulnerability (CAN-2004-0412)[4]
As mentioned in the 2.1.5 release announcement[5], previous mailman
versions are vulnerable to a password retrieval attack which would
give the attacker the password an user choose when he/she subscribed
to a mailing list.
For Conectiva Linux 8, the following vulnerability has been fixed:
- CAN-2003-0991[6]: denial of service vulnerability caused by
specific mail messages which would crash mailman.
SOLUTION
It is recommended that all mailman users upgrade their packages.
ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions regarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- ------------------------------------------------------------------------
-
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- ------------------------------------------------------------------------
-
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- ------------------------------------------------------------------------
-
Copyright (c) 2004 Conectiva Inc.
http://www.conectiva.com
Hash: SHA1
- ------------------------------------------------------------------------
--
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- ------------------------------------------------------------------------
--
PACKAGE : mailman
SUMMARY : Several mailman fixes
DATE : 2004-05-25 17:26:00
ID : CLA-2004:842
RELEVANT
RELEASES : 8, 9
- ------------------------------------------------------------------------
-
DESCRIPTION
Mailman[1] is a mailing list manager.
This update fixes the following vulnerabilities for Conectiva Linux
9:
1) Cross site scripting vulnerability in the admin CGI script
(CAN-2003-0965)[2]
2) Cross site scripting vulnerability in the create CGI script
(CAN-2003-0992)[3]
3) Remote password retrieval vulnerability (CAN-2004-0412)[4]
As mentioned in the 2.1.5 release announcement[5], previous mailman
versions are vulnerable to a password retrieval attack which would
give the attacker the password an user choose when he/she subscribed
to a mailing list.
For Conectiva Linux 8, the following vulnerability has been fixed:
- CAN-2003-0991[6]: denial of service vulnerability caused by
specific mail messages which would crash mailman.
SOLUTION
It is recommended that all mailman users upgrade their packages.
REFERENCES
1.http://www.list.org/
2.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0965
3.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0992
4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=can-2004-0412
5.http://mail.python.org/pipermail/mailman-announce/2004-May/000072.html
6.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0991
UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/8/SRPMS/mailman-2.0.14-1U80_1cl.src.
rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/mailman-2.0.14-1U80_1cl.i386.
rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/mailman-2.1.4-27744U90_2cl.s
rc.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/mailman-2.1.4-27744U90_2cl.i3
86.rpm
ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions regarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- ------------------------------------------------------------------------
-
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- ------------------------------------------------------------------------
-
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- ------------------------------------------------------------------------
-
Copyright (c) 2004 Conectiva Inc.
http://www.conectiva.com
- ------------------------------------------------------------------------
-
subscribe: conectiva-updates-subscribe (at) papaleguas.conectiva.com (dot) br [email concealed]
unsubscribe: conectiva-updates-unsubscribe (at) papaleguas.conectiva.com (dot) br [email concealed]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQFAs6wr42jd0JmAcZARAs2OAJ47bJ8wOcCWGLzzoJ59Jy+ml4nNQgCdH5eL
5fEbSUjcmCzWvmy6JF1s2Po=
=98+E
-----END PGP SIGNATURE-----
[ reply ]