Bug 147833 - CAN-2004-1177 - mailman
Summary: CAN-2004-1177 - mailman
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: mailman   
(Show other bugs)
Version: 3.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: John Dennis
QA Contact:
Whiteboard: impact=important,public=20050110
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2005-02-11 19:23 UTC by Richard Phipps
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-03-21 18:31:20 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:235 high SHIPPED_LIVE Important: mailman security update 2005-03-21 05:00:00 UTC

Description Richard Phipps 2005-02-11 19:23:10 UTC
Description of problem:
 Missing XSS security patches for mailman-2.1.5 ?
Version-Release number of selected component (if applicable):

Additional info:
 It appears there was an XSS vuln in mailman thru version 2.1.5
 that was patched by other vendors, but not yet patched in
 RHEL to date(2005-02-11): [CAN-2004-1177] cross-site scripting in 

See also: 

Comment 1 John Dennis 2005-02-25 23:55:56 UTC
fixed, errata RHSA-2005-235

Comment 2 Josh Bressers 2005-02-28 11:38:09 UTC
I'm reopening this bug.  The errata system will close this when we
push the errata.

Comment 3 Mark J. Cox 2005-03-21 18:31:21 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Comment 4 Matthew Miller 2005-03-21 18:42:42 UTC
I don't see updates for Fedora Core in the FTP tree; are those on the way? Thanks.

Comment 5 Mark J. Cox 2005-03-21 18:49:41 UTC
you need bug 151643 for this flaw in Fedora Core

Comment 6 Matthew Miller 2005-03-21 18:52:28 UTC

Comment 7 Josh Bressers 2006-06-14 12:38:29 UTC
This comment is from my mail archive.  I'm adding it due to the bugzilla crash:

------- Additional Comments From deisenst@gtw.net  2006-06-11 04:08 EST -------
Created an attachment (id=130926)
 --> (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=130926&action=view)
Debian's patch for this issue for mailman-2.0.11

Looking over mailman for updating RHL 7.3 for Fedora Legacy, I was noticing
that this vulnerability was not patched in RHEL 2.1's
"mailman-2.0.13/scripts/driver" source file.  Debian, however, did patch
this for Debian Woody, mailman 2.0.11.

The attachment is the portion of Debian's patch file at

that (I think) would be relevant to this issue in the
"mailman-2.0.13/scripts/driver" file in RHEL 2.1's .src.rpm.  It applies
cleanly to mailman-2.0.13 sources.

My only guess why this issue was not patched for RHEL 2.1 is that the driver
script defaults to STEALTH_MODE = 1... which causes the code that could
potentially generate XSS web output to be skipped.

But if the user decided to turn off STEALTH_MODE (by changing line 30 of
mailman's driver file to "STEALTH_MODE = 0"), then wouldn't that user be
susceptible to the CAN-2004-1177 vulnerability?

Please let me know.    Regards,     -David E.

Comment 8 Josh Bressers 2006-06-14 12:59:44 UTC
------- Additional Comments From bressers@redhat.com  2006-06-13 11:54 EST -------
See bug 164933 for a description why this issue doesn't affect RHEL2.1 (and
likely  other old versions of mailman).

Note You need to log in before you can comment on or make changes to this bug.