CAN-2004-1177 Affects: FC2 CAN-2004-1177 Affects: FC3 +++ This bug was initially created as a clone of Bug #147833 +++ Description of problem: Missing XSS security patches for mailman-2.1.5 ? Version-Release number of selected component (if applicable): mailman-2.1.5-24.rhel3 Additional info: It appears there was an XSS vuln in mailman thru version 2.1.5 that was patched by other vendors, but not yet patched in RHEL to date(2005-02-11): [CAN-2004-1177] cross-site scripting in /var/mailman/scripts/driver See also: https://bugzilla.ubuntu.com/show_bug.cgi?id=5057 http://www.securityfocus.com/bid/12243
The patch for CAN-2004-1177 was added to FC3, FC4, RHEL-3, RHEL-4 a month ago (2/25/2005) and errata RHSA-2005:235 was created for it. If this isn't showing up in the releases all I can say is maybe its another example of updates/erratas getting bumped from updates.
I checked before adding a comment. The latest update in the tree and for which there was an announcement on the Fedora announce list was 2/9/2005 (announcement the next day on 2/10/2005). This mentions CAN-2005-0202, errata RHSA-2005:137, and bug #147343 -- nothing about this. I don't know anything about updates/errata getting "bumped", but I'm 90+% sure there was never an e-mailed announcement, and 66.67% sure that I would have seen it appear in the tree when it got rsynced, so if they're disappearing, it's pretty early on. Plus, it looks like the issue would also affect FC2, which is still supposed to be getting updates.
The updates for FC2 and FC3 have not been pushed according to our records.
The following were just pushed. The announcement is in the moderator pending queue at the moment. FC2 mailman-2.1.5-10.fc2 FC3 mailman-2.1.5-32.fc3
Yes, confirming it in the tree. Thank you very much.