[Secure-testing-team] Tracking: security problems fixed by Mailman
2.1.9
Lionel Elie Mamane
lionel at mamane.lu
Wed Sep 13 09:52:44 UTC 2006
On Tue, Sep 12, 2006 at 10:23:22AM -0400, Alec Berryman wrote:
> Lionel Elie Mamane on 2006-09-12 10:18:32 +0200:
>> The following security problems will be fixed by the upload of Mailman
>> 2.1.9, if and when we upload it:
>> - A malicious user could visit a specially crafted URI and inject an
>> apparent log message into Mailman's error log which might induce an
>> unsuspecting administrator to visit a phishing site. This has been
>> blocked. Thanks to Moritz Naumann for its discovery.
> Does this one have a CVE or an upstream identification number?
I'm not aware of any. The upstream announcement is at
https://sourceforge.net/project/shownotes.php?release_id=447065&group_id=103
I forgot also:
- Format string vulnerability, but not exploitable. CVE-2006-2191. I
mention it only because it got a CVE number assigned, but as it is
not exploitable, it is fair to say it is _not_ a security hole.
--
Lionel
More information about the Secure-testing-team
mailing list