Description of problem:
Missing XSS security patches for mailman-2.1.5 ?
Version-Release number of selected component (if applicable):
It appears there was an XSS vuln in mailman thru version 2.1.5
that was patched by other vendors, but not yet patched in
RHEL to date(2005-02-11): [CAN-2004-1177] cross-site scripting in
fixed, errata RHSA-2005-235
I'm reopening this bug. The errata system will close this when we
push the errata.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
I don't see updates for Fedora Core in the FTP tree; are those on the way? Thanks.
you need bug 151643 for this flaw in Fedora Core
This comment is from my mail archive. I'm adding it due to the bugzilla crash:
------- Additional Comments From firstname.lastname@example.org 2006-06-11 04:08 EST -------
Created an attachment (id=130926)
Debian's patch for this issue for mailman-2.0.11
Looking over mailman for updating RHL 7.3 for Fedora Legacy, I was noticing
that this vulnerability was not patched in RHEL 2.1's
"mailman-2.0.13/scripts/driver" source file. Debian, however, did patch
this for Debian Woody, mailman 2.0.11.
The attachment is the portion of Debian's patch file at
that (I think) would be relevant to this issue in the
"mailman-2.0.13/scripts/driver" file in RHEL 2.1's .src.rpm. It applies
cleanly to mailman-2.0.13 sources.
My only guess why this issue was not patched for RHEL 2.1 is that the driver
script defaults to STEALTH_MODE = 1... which causes the code that could
potentially generate XSS web output to be skipped.
But if the user decided to turn off STEALTH_MODE (by changing line 30 of
mailman's driver file to "STEALTH_MODE = 0"), then wouldn't that user be
susceptible to the CAN-2004-1177 vulnerability?
Please let me know. Regards, -David E.
------- Additional Comments From email@example.com 2006-06-13 11:54 EST -------
See bug 164933 for a description why this issue doesn't affect RHEL2.1 (and
likely other old versions of mailman).