Bug 147833

Summary: CAN-2004-1177 - mailman
Product: Red Hat Enterprise Linux 3 Reporter: Richard Phipps <rphipps+bugzredhat>
Component: mailmanAssignee: John Dennis <jdennis>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 3.0CC: mattdm, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20050110
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-03-21 18:31:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Richard Phipps 2005-02-11 19:23:10 UTC 
Description of problem:
 Missing XSS security patches for mailman-2.1.5 ?
 
Version-Release number of selected component (if applicable):
 mailman-2.1.5-24.rhel3

Additional info:
 It appears there was an XSS vuln in mailman thru version 2.1.5
 that was patched by other vendors, but not yet patched in
 RHEL to date(2005-02-11): [CAN-2004-1177] cross-site scripting in 
 /var/mailman/scripts/driver

See also: 
https://bugzilla.ubuntu.com/show_bug.cgi?id=5057
http://www.securityfocus.com/bid/12243
Comment 1 John Dennis 2005-02-25 23:55:56 UTC 
fixed, errata RHSA-2005-235
Comment 2 Josh Bressers 2005-02-28 11:38:09 UTC 
I'm reopening this bug.  The errata system will close this when we
push the errata.
Comment 3 Mark J. Cox 2005-03-21 18:31:21 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-235.html
Comment 4 Matthew Miller 2005-03-21 18:42:42 UTC 
I don't see updates for Fedora Core in the FTP tree; are those on the way? Thanks.
Comment 5 Mark J. Cox 2005-03-21 18:49:41 UTC 
you need bug 151643 for this flaw in Fedora Core
Comment 6 Matthew Miller 2005-03-21 18:52:28 UTC 
thanks
Comment 7 Josh Bressers 2006-06-14 12:38:29 UTC 
This comment is from my mail archive.  I'm adding it due to the bugzilla crash:

------- Additional Comments From deisenst  2006-06-11 04:08 EST -------
Created an attachment (id=130926)
 --> (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=130926&action=view)
Debian's patch for this issue for mailman-2.0.11

Looking over mailman for updating RHL 7.3 for Fedora Legacy, I was noticing
that this vulnerability was not patched in RHEL 2.1's
"mailman-2.0.13/scripts/driver" source file.  Debian, however, did patch
this for Debian Woody, mailman 2.0.11.

The attachment is the portion of Debian's patch file at
http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody11.diff.gz

that (I think) would be relevant to this issue in the
"mailman-2.0.13/scripts/driver" file in RHEL 2.1's .src.rpm.  It applies
cleanly to mailman-2.0.13 sources.

My only guess why this issue was not patched for RHEL 2.1 is that the driver
script defaults to STEALTH_MODE = 1... which causes the code that could
potentially generate XSS web output to be skipped.

But if the user decided to turn off STEALTH_MODE (by changing line 30 of
mailman's driver file to "STEALTH_MODE = 0"), then wouldn't that user be
susceptible to the CAN-2004-1177 vulnerability?

Please let me know.    Regards,     -David E.
Comment 8 Josh Bressers 2006-06-14 12:59:44 UTC 
------- Additional Comments From bressers  2006-06-13 11:54 EST -------
See bug 164933 for a description why this issue doesn't affect RHEL2.1 (and
likely  other old versions of mailman).