[Secure-testing-team] Tracking: security problems fixed by Mailman
2.1.9
Alec Berryman
alec at thened.net
Tue Sep 12 14:23:22 UTC 2006
Lionel Elie Mamane on 2006-09-12 10:18:32 +0200:
> The following security problems will be fixed by the upload of Mailman
> 2.1.9, if and when we upload it:
>
> - A malicious user could visit a specially crafted URI and inject an
> apparent log message into Mailman's error log which might induce an
> unsuspecting administrator to visit a phishing site. This has been
> blocked. Thanks to Moritz Naumann for its discovery.
Does this one have a CVE or an upstream identification number?
> - Fixed denial of service attack which can be caused by some
> standards-breaking RFC 2231 formatted headers. CVE-2006-2941.
>
> - Several cross-site scripting issues have been fixed. Thanks to Moritz
> Naumann for their discovery. CVE-2006-3636
I've now noted that the current mailman is vulnerable to these two.
Thanks for sending us this information.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060912/2090199b/attachment.pgp
More information about the Secure-testing-team
mailing list