Bug 152735

Summary: CAN-2004-0412 Mailman password retrieval
Product: [Retired] Fedora Legacy Reporter: Marc Deslauriers <marc.deslauriers>
Component: Package requestAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecified   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0412
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-04-05 22:47:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Lawrence 2005-03-30 23:25:37 UTC 
A flaw in Mailman 2.1.* allows a remote attacker to retrieve the
mailman password of any subscriber by sending a carefully crafted
email request to the mailman server.

A simple patch is available and is fixed upstream in Mailman 2.1.5.



------- Additional Comments From marcdeslauriers 2004-06-09 02:01:15 ----

More info:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123559
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0412
http://mail.python.org/pipermail/mailman-announce/2004-May/000072.html




------- Additional Comments From marcdeslauriers 2004-06-09 13:17:31 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are packages for rh9:

Changelog:
* Wed Jun 09 2004 Marc Deslauriers <marcdeslauriers> 3:2.1.1-6.legacy
- - security errata CAN-2004-0412, user password compromise

96d1f313d39b7195f3cf785498148dc57f5c8cdb  mailman-2.1.1-6.legacy.i386.rpm
1a01c9dd61cafe81ed211f8acc14c75b1f1f74e1  mailman-2.1.1-6.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/9/mailman-2.1.1-6.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/mailman-2.1.1-6.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAx5p/LMAs/0C4zNoRAufhAJ9yLQvbl6CLgxv5XKFfZzKrwNITAQCfdqU4
iYqHsXlyTZzKU/CwKh71Mo4=
=8SJP
-----END PGP SIGNATURE-----




------- Additional Comments From jonny.strom 2004-06-09 23:31:41 ----

I did a QA on the RH 9 packages in Comment #2:

SHA1 is ok.
Installs ok.
Spec file looks ok.
Patch looks ok it is a trivial fix.

I wote for publish.



------- Additional Comments From jkeating 2004-06-16 18:20:44 ----

Pushed to updates-testing:

  http://download.fedoralegacy.org/redhat/
 
4dee398d2d9b1d107850665f04c082073b4465a5 
9/updates-testing/SRPMS/mailman-2.1.1-7.legacy.src.rpm
66cbbfcf168869969b0aaa0298d3680c3b8e5a3c 
9/updates-testing/i386/mailman-2.1.1-7.legacy.i386.rpm



------- Additional Comments From madhatter 2004-06-18 09:45:55 ----

i have tested 2.1.1-7 (sha1sum 66cbbfcf168869969b0aaa0298d3680c3b8e5a3c) on a
moderately busy mailman server and it works fine, from a
serving-lists-and-handling-moderator-requests standpoint.  ymmv <grin>.



------- Bug moved to this database by dkl 2005-03-30 18:25 -------

This bug previously known as bug 1734 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1734
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P1. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Unknown severity major. Setting to default severity "normal".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.
Comment 1 Marc Deslauriers 2005-04-05 22:47:20 UTC 

*** This bug has been marked as a duplicate of 152895 ***