A flaw in Mailman 2.1.* allows a remote attacker to retrieve the mailman password of any subscriber by sending a carefully crafted email request to the mailman server. A simple patch is available and is fixed upstream in Mailman 2.1.5. ------- Additional Comments From marcdeslauriers 2004-06-09 02:01:15 ---- More info: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123559 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0412 http://mail.python.org/pipermail/mailman-announce/2004-May/000072.html ------- Additional Comments From marcdeslauriers 2004-06-09 13:17:31 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are packages for rh9: Changelog: * Wed Jun 09 2004 Marc Deslauriers <marcdeslauriers> 3:2.1.1-6.legacy - - security errata CAN-2004-0412, user password compromise 96d1f313d39b7195f3cf785498148dc57f5c8cdb mailman-2.1.1-6.legacy.i386.rpm 1a01c9dd61cafe81ed211f8acc14c75b1f1f74e1 mailman-2.1.1-6.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/mailman-2.1.1-6.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/mailman-2.1.1-6.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAx5p/LMAs/0C4zNoRAufhAJ9yLQvbl6CLgxv5XKFfZzKrwNITAQCfdqU4 iYqHsXlyTZzKU/CwKh71Mo4= =8SJP -----END PGP SIGNATURE----- ------- Additional Comments From jonny.strom 2004-06-09 23:31:41 ---- I did a QA on the RH 9 packages in Comment #2: SHA1 is ok. Installs ok. Spec file looks ok. Patch looks ok it is a trivial fix. I wote for publish. ------- Additional Comments From jkeating 2004-06-16 18:20:44 ---- Pushed to updates-testing: http://download.fedoralegacy.org/redhat/ 4dee398d2d9b1d107850665f04c082073b4465a5 9/updates-testing/SRPMS/mailman-2.1.1-7.legacy.src.rpm 66cbbfcf168869969b0aaa0298d3680c3b8e5a3c 9/updates-testing/i386/mailman-2.1.1-7.legacy.i386.rpm ------- Additional Comments From madhatter 2004-06-18 09:45:55 ---- i have tested 2.1.1-7 (sha1sum 66cbbfcf168869969b0aaa0298d3680c3b8e5a3c) on a moderately busy mailman server and it works fine, from a serving-lists-and-handling-moderator-requests standpoint. ymmv <grin>. ------- Bug moved to this database by dkl 2005-03-30 18:25 ------- This bug previously known as bug 1734 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=1734 Originally filed under the Fedora Legacy product and Package request component. Unknown priority P1. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Unknown severity major. Setting to default severity "normal". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
*** This bug has been marked as a duplicate of 152895 ***