Bug 147833 - CAN-2004-1177 - mailman
Summary: CAN-2004-1177 - mailman
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: mailman
Version: 3.0
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: John Dennis
QA Contact:
URL:
Whiteboard: impact=important,public=20050110
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-02-11 19:23 UTC by Richard Phipps
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-03-21 18:31:20 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:235 0 high SHIPPED_LIVE Important: mailman security update 2005-03-21 05:00:00 UTC

Description Richard Phipps 2005-02-11 19:23:10 UTC 
Description of problem:
 Missing XSS security patches for mailman-2.1.5 ?
 
Version-Release number of selected component (if applicable):
 mailman-2.1.5-24.rhel3

Additional info:
 It appears there was an XSS vuln in mailman thru version 2.1.5
 that was patched by other vendors, but not yet patched in
 RHEL to date(2005-02-11): [CAN-2004-1177] cross-site scripting in 
 /var/mailman/scripts/driver

See also: 
https://bugzilla.ubuntu.com/show_bug.cgi?id=5057
http://www.securityfocus.com/bid/12243
Comment 1 John Dennis 2005-02-25 23:55:56 UTC 
fixed, errata RHSA-2005-235
Comment 2 Josh Bressers 2005-02-28 11:38:09 UTC 
I'm reopening this bug.  The errata system will close this when we
push the errata.
Comment 3 Mark J. Cox 2005-03-21 18:31:21 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-235.html
Comment 4 Matthew Miller 2005-03-21 18:42:42 UTC 
I don't see updates for Fedora Core in the FTP tree; are those on the way? Thanks.
Comment 5 Mark J. Cox 2005-03-21 18:49:41 UTC 
you need bug 151643 for this flaw in Fedora Core
Comment 6 Matthew Miller 2005-03-21 18:52:28 UTC 
thanks
Comment 7 Josh Bressers 2006-06-14 12:38:29 UTC 
This comment is from my mail archive.  I'm adding it due to the bugzilla crash:

------- Additional Comments From deisenst  2006-06-11 04:08 EST -------
Created an attachment (id=130926)
 --> (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=130926&action=view)
Debian's patch for this issue for mailman-2.0.11

Looking over mailman for updating RHL 7.3 for Fedora Legacy, I was noticing
that this vulnerability was not patched in RHEL 2.1's
"mailman-2.0.13/scripts/driver" source file.  Debian, however, did patch
this for Debian Woody, mailman 2.0.11.

The attachment is the portion of Debian's patch file at
http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody11.diff.gz

that (I think) would be relevant to this issue in the
"mailman-2.0.13/scripts/driver" file in RHEL 2.1's .src.rpm.  It applies
cleanly to mailman-2.0.13 sources.

My only guess why this issue was not patched for RHEL 2.1 is that the driver
script defaults to STEALTH_MODE = 1... which causes the code that could
potentially generate XSS web output to be skipped.

But if the user decided to turn off STEALTH_MODE (by changing line 30 of
mailman's driver file to "STEALTH_MODE = 0"), then wouldn't that user be
susceptible to the CAN-2004-1177 vulnerability?

Please let me know.    Regards,     -David E.
Comment 8 Josh Bressers 2006-06-14 12:59:44 UTC 
------- Additional Comments From bressers  2006-06-13 11:54 EST -------
See bug 164933 for a description why this issue doesn't affect RHEL2.1 (and
likely  other old versions of mailman).
Note You need to log in before you can comment on or make changes to this bug.