Bug 152735 - CAN-2004-0412 Mailman password retrieval
CAN-2004-0412 Mailman password retrieval
Status: CLOSED DUPLICATE of bug 152895
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://cve.mitre.org/cgi-bin/cvename....
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-06-09 01:59 EDT by Marc Deslauriers
Modified: 2014-01-21 17:51 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-05 18:47:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:25:37 EST
A flaw in Mailman 2.1.* allows a remote attacker to retrieve the
mailman password of any subscriber by sending a carefully crafted
email request to the mailman server.

A simple patch is available and is fixed upstream in Mailman 2.1.5.



------- Additional Comments From marcdeslauriers@videotron.ca 2004-06-09 02:01:15 ----

More info:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123559
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0412
http://mail.python.org/pipermail/mailman-announce/2004-May/000072.html




------- Additional Comments From marcdeslauriers@videotron.ca 2004-06-09 13:17:31 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are packages for rh9:

Changelog:
* Wed Jun 09 2004 Marc Deslauriers <marcdeslauriers@videotron.ca> 3:2.1.1-6.legacy
- - security errata CAN-2004-0412, user password compromise

96d1f313d39b7195f3cf785498148dc57f5c8cdb  mailman-2.1.1-6.legacy.i386.rpm
1a01c9dd61cafe81ed211f8acc14c75b1f1f74e1  mailman-2.1.1-6.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/9/mailman-2.1.1-6.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/mailman-2.1.1-6.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAx5p/LMAs/0C4zNoRAufhAJ9yLQvbl6CLgxv5XKFfZzKrwNITAQCfdqU4
iYqHsXlyTZzKU/CwKh71Mo4=
=8SJP
-----END PGP SIGNATURE-----




------- Additional Comments From jonny.strom@netikka.fi 2004-06-09 23:31:41 ----

I did a QA on the RH 9 packages in Comment #2:

SHA1 is ok.
Installs ok.
Spec file looks ok.
Patch looks ok it is a trivial fix.

I wote for publish.



------- Additional Comments From jkeating@j2solutions.net 2004-06-16 18:20:44 ----

Pushed to updates-testing:

  http://download.fedoralegacy.org/redhat/
 
4dee398d2d9b1d107850665f04c082073b4465a5 
9/updates-testing/SRPMS/mailman-2.1.1-7.legacy.src.rpm
66cbbfcf168869969b0aaa0298d3680c3b8e5a3c 
9/updates-testing/i386/mailman-2.1.1-7.legacy.i386.rpm



------- Additional Comments From madhatter@teaparty.net 2004-06-18 09:45:55 ----

i have tested 2.1.1-7 (sha1sum 66cbbfcf168869969b0aaa0298d3680c3b8e5a3c) on a
moderately busy mailman server and it works fine, from a
serving-lists-and-handling-moderator-requests standpoint.  ymmv <grin>.



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:25 -------

This bug previously known as bug 1734 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1734
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P1. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Unknown severity major. Setting to default severity "normal".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Marc Deslauriers 2005-04-05 18:47:20 EDT

*** This bug has been marked as a duplicate of 152895 ***

Note You need to log in before you can comment on or make changes to this bug.