Bug 151643 - CAN-2004-1177 - mailman
CAN-2004-1177 - mailman
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: mailman (Show other bugs)
3
All Linux
medium Severity high
: ---
: ---
Assigned To: John Dennis
impact=important,public=20050110
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-03-21 07:11 EST by Mark J. Cox (Product Security)
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-03-22 17:14:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2005-03-21 07:11:10 EST
CAN-2004-1177 Affects: FC2
        CAN-2004-1177 Affects: FC3

+++ This bug was initially created as a clone of Bug #147833 +++

Description of problem:
 Missing XSS security patches for mailman-2.1.5 ?
 
Version-Release number of selected component (if applicable):
 mailman-2.1.5-24.rhel3

Additional info:
 It appears there was an XSS vuln in mailman thru version 2.1.5
 that was patched by other vendors, but not yet patched in
 RHEL to date(2005-02-11): [CAN-2004-1177] cross-site scripting in 
 /var/mailman/scripts/driver

See also: 
https://bugzilla.ubuntu.com/show_bug.cgi?id=5057
http://www.securityfocus.com/bid/12243
Comment 1 John Dennis 2005-03-21 14:07:50 EST
The patch for CAN-2004-1177 was added to FC3, FC4, RHEL-3, RHEL-4 a month ago
(2/25/2005) and errata RHSA-2005:235 was created for it. If this isn't showing
up in the releases all I can say is maybe its another example of updates/erratas
getting bumped from updates.
Comment 2 Matthew Miller 2005-03-21 14:19:47 EST
I checked before adding a comment.

The latest update in the tree and for which there was an announcement on the
Fedora announce list was 2/9/2005 (announcement the next day on 2/10/2005). This
mentions CAN-2005-0202, errata RHSA-2005:137, and bug #147343 -- nothing about this.

I don't know anything about updates/errata getting "bumped", but I'm 90+% sure
there was never an e-mailed announcement, and 66.67% sure that I would have seen
it appear in the tree when it got rsynced, so if they're disappearing, it's
pretty early on.

Plus, it looks like the issue would also affect FC2, which is still supposed to
be getting updates.
Comment 3 Mark J. Cox (Product Security) 2005-03-21 14:36:23 EST
The updates for FC2 and FC3 have not been pushed according to our records.
Comment 4 John Dennis 2005-03-22 16:00:51 EST
The following were just pushed. The announcement is in the moderator pending
queue at the moment.

FC2 mailman-2.1.5-10.fc2
FC3 mailman-2.1.5-32.fc3
Comment 5 Matthew Miller 2005-03-22 17:14:20 EST
Yes, confirming it in the tree. Thank you very much.

Note You need to log in before you can comment on or make changes to this bug.