Red Hat Bugzilla – Bug 151643
CAN-2004-1177 - mailman
Last modified: 2007-11-30 17:11:02 EST
CAN-2004-1177 Affects: FC2
CAN-2004-1177 Affects: FC3
+++ This bug was initially created as a clone of Bug #147833 +++
Description of problem:
Missing XSS security patches for mailman-2.1.5 ?
Version-Release number of selected component (if applicable):
It appears there was an XSS vuln in mailman thru version 2.1.5
that was patched by other vendors, but not yet patched in
RHEL to date(2005-02-11): [CAN-2004-1177] cross-site scripting in
The patch for CAN-2004-1177 was added to FC3, FC4, RHEL-3, RHEL-4 a month ago
(2/25/2005) and errata RHSA-2005:235 was created for it. If this isn't showing
up in the releases all I can say is maybe its another example of updates/erratas
getting bumped from updates.
I checked before adding a comment.
The latest update in the tree and for which there was an announcement on the
Fedora announce list was 2/9/2005 (announcement the next day on 2/10/2005). This
mentions CAN-2005-0202, errata RHSA-2005:137, and bug #147343 -- nothing about this.
I don't know anything about updates/errata getting "bumped", but I'm 90+% sure
there was never an e-mailed announcement, and 66.67% sure that I would have seen
it appear in the tree when it got rsynced, so if they're disappearing, it's
pretty early on.
Plus, it looks like the issue would also affect FC2, which is still supposed to
be getting updates.
The updates for FC2 and FC3 have not been pushed according to our records.
The following were just pushed. The announcement is in the moderator pending
queue at the moment.
Yes, confirming it in the tree. Thank you very much.