Debian Security Advisory DSA 674-3 security@
debian.org
http://www.debian.org/security/ Martin Schulze
February 21st, 2005
http://www.debian.org/security/faq
Package :
mailman
Vulnerability : cross-site scripting, directory traversal
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2004-1177 CAN-2005-0202
Due to an incompatibility between
Python 1.5 and 2.1 the last
mailman
update did not run with
Python 1.5 anymore. This problem is corrected
with this update. This advisory only updates the packages updated
with DSA 674-2. The version in unstable is not affected since it is
not supposed to work with
Python 1.5 anymore. For completeness below
is the original advisory text:
Two security related problems have been discovered in
mailman,
web-based
GNU mailing list manager. The Common Vulnerabilities and
Exposures project identifies the following problems:
CAN-2004-1177
Florian Weimer discovered a cross-site scripting
vulnerability in
mailman's automatically generated error messages. An attacker
could craft an URL containing
JavaScript (or other content
embedded into HTML) which triggered a
mailman error page that
would include the malicious code verbatim.
CAN-2005-0202
Several listmasters have noticed unauthorised
access to archives
of private lists and the list configuration itself, including the
users passwords. Administrators are advised to check the
webserver logfiles for requests that contain "/...../" and the
path to the archives or cofiguration. This does only seem to
affect installations running on web servers that do not strip
slashes, such as
Apache 1.3.
For the stable distribution (woody) these problems have been fixed in
version 2.0.11-1woody11.
We recommend that you upgrade your
mailman package.