Bug 151643 - CAN-2004-1177 - mailman
Summary: CAN-2004-1177 - mailman
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: mailman
Version: 3
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: John Dennis
QA Contact:
URL:
Whiteboard: impact=important,public=20050110
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-03-21 12:11 UTC by Mark J. Cox
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2005-03-22 22:14:20 UTC


Attachments (Terms of Use)

Description Mark J. Cox 2005-03-21 12:11:10 UTC
CAN-2004-1177 Affects: FC2
        CAN-2004-1177 Affects: FC3

+++ This bug was initially created as a clone of Bug #147833 +++

Description of problem:
 Missing XSS security patches for mailman-2.1.5 ?
 
Version-Release number of selected component (if applicable):
 mailman-2.1.5-24.rhel3

Additional info:
 It appears there was an XSS vuln in mailman thru version 2.1.5
 that was patched by other vendors, but not yet patched in
 RHEL to date(2005-02-11): [CAN-2004-1177] cross-site scripting in 
 /var/mailman/scripts/driver

See also: 
https://bugzilla.ubuntu.com/show_bug.cgi?id=5057
http://www.securityfocus.com/bid/12243

Comment 1 John Dennis 2005-03-21 19:07:50 UTC
The patch for CAN-2004-1177 was added to FC3, FC4, RHEL-3, RHEL-4 a month ago
(2/25/2005) and errata RHSA-2005:235 was created for it. If this isn't showing
up in the releases all I can say is maybe its another example of updates/erratas
getting bumped from updates.

Comment 2 Matthew Miller 2005-03-21 19:19:47 UTC
I checked before adding a comment.

The latest update in the tree and for which there was an announcement on the
Fedora announce list was 2/9/2005 (announcement the next day on 2/10/2005). This
mentions CAN-2005-0202, errata RHSA-2005:137, and bug #147343 -- nothing about this.

I don't know anything about updates/errata getting "bumped", but I'm 90+% sure
there was never an e-mailed announcement, and 66.67% sure that I would have seen
it appear in the tree when it got rsynced, so if they're disappearing, it's
pretty early on.

Plus, it looks like the issue would also affect FC2, which is still supposed to
be getting updates.

Comment 3 Mark J. Cox 2005-03-21 19:36:23 UTC
The updates for FC2 and FC3 have not been pushed according to our records.

Comment 4 John Dennis 2005-03-22 21:00:51 UTC
The following were just pushed. The announcement is in the moderator pending
queue at the moment.

FC2 mailman-2.1.5-10.fc2
FC3 mailman-2.1.5-32.fc3


Comment 5 Matthew Miller 2005-03-22 22:14:20 UTC
Yes, confirming it in the tree. Thank you very much.


Note You need to log in before you can comment on or make changes to this bug.