Bug 152895 - CAN-2005-0202 Mailman directory traversal
CAN-2005-0202 Mailman directory traversal
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: mailman (Show other bugs)
unspecified
All Linux
high Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
https://rhn.redhat.com/errata/RHSA-20...
1, LEGACY, QA, rh73, rh90
: Security
: 152667 152735 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-10 07:15 EST by Jeff Sheltren
Modified: 2007-03-27 00:29 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-10 17:29:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:31:17 EST
Created an SRPM using patch from RHEL3 and SRPM from FC1.

http://www.cs.ucsb.edu/~jeff/mailman-2.1.5-7.legacy.src.rpm

Feel free to use/rebuild as necesary.



------- Additional Comments From dom@earth.li 2005-02-10 09:27:32 ----

QA for RPM in comment 1:

6e4d02c20ca4f3093a4b1ba6b82f3b1533ccfeab  mailman-2.1.5-7.legacy.src.rpm

- spec change good
- patch good
- sources good
- no other changes

PUBLISH fc1



------- Additional Comments From sheltren@cs.ucsb.edu 2005-02-10 11:50:05 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Whoops, guess I should have gpg signed my first message
and added the shasum... well, I'll get used to this eventually :)

I've also taken the most recent legacy mailman release for RH9 and rebuilt
it with the same patch as used in the RHEL update.

It can be found here:
http://www.cs.ucsb.edu/~jeff/mailman-2.1.1-8.legacy.src.rpm

sha1sums for both packages:
2c129fa1352fdd3600b0230a94aab743f3c15bac  mailman-2.1.1-8.legacy.src.rpm
6e4d02c20ca4f3093a4b1ba6b82f3b1533ccfeab  mailman-2.1.5-7.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFCC9b7Ke7MLJjUbNMRAt1eAKCerWibc5iRduGytDhQes0PeHlhlACeLK2w
+A1TQrNhMY+QJ8SgE3Mh2Sk=
=XSBD
-----END PGP SIGNATURE-----



------- Additional Comments From dom@earth.li 2005-02-10 15:20:19 ----

Packages released to updates-testing.

(Jeff: thanks for the rh9 packages; I'd already rolled them by the time you
posted that :)



------- Additional Comments From sheltren@cs.ucsb.edu 2005-02-10 16:22:40 ----

No problem.  Thanks for catching the extra buildreqs for the FC1 package!

----------
* Thu Feb 10 2005 Dominic Hargreaves <dom@earth.li> - 3:2.1.5-8.legacy

- Added python, autoconf and automake build prerequisites
----------



------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-10 19:06:16 ----

*** Bug 2425 has been marked as a duplicate of this bug. ***



------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-10 19:15:32 ----

We seem to be missing rh73 packages here...



------- Additional Comments From madhatter@teaparty.net 2005-02-10 21:55:12 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Package mailman-2.1.1-8.legacy.i386.rpm installs OK on RH9.  Web interface
good: list browsing, list admin, setting moderation bit, moderation (ie,
mail is held pending moderator approval), are all fine.  Sending mail to a
list is also fine.

+VERIFY RH9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCDGSUePtvKV31zw4RAnroAKDI3lWp4lTW+CgIxn5ZNWYh8VUnBgCfXc2X
TrkSlD81CDxRW0aEbfx0Xz8=
=/fFG
-----END PGP SIGNATURE-----




------- Additional Comments From sheltren@cs.ucsb.edu 2005-02-11 05:11:51 ----

Created an attachment (id=993)
Proposed RH 7.3 patch

Makes a similar change as made in the RH9/FC1 patch.  I don't have a 7.3 box to
test it on.



------- Additional Comments From dom@earth.li 2005-02-11 05:17:04 ----

Updated 7.3 packages have been built and are waiting to be transferred to the
download server.



------- Additional Comments From dom@earth.li 2005-02-11 07:53:41 ----

updates-testing RPMS for rh7.3 now available for verification at:

http://www-astro.physics.ox.ac.uk/~dom/legacy/official/redhat/7.3/updates-testing/

Note: I'm not signing this message as I don't have access to me GPG key here,
but the packages are gpg-signed with the FL key. Please check the signature.



------- Additional Comments From bugzilla.fedora.us@beej.org 2005-03-01 23:13:21 ----

are the following fixed in the rh73 package?
CVE-2002-0389
CVE-2003-0991
CAN-2004-1143
CAN-2004-1177



------- Additional Comments From dom@earth.li 2005-03-04 07:25:26 ----

Re comment 11, can't remember offhand, all the packages currently in
updates-testing are rebuilds of RHEL updates. ISTR that some of those CANs are
quite minor in inpact and so people haven't bothered to fix them.



------- Additional Comments From pizza@shaftnet.org 2005-03-06 03:56:34 ----

I'm using this in production on a FC1 box.  Everything seems to work so far.

+VERIFY FC1



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:31 -------

This bug previously known as bug 2419 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2419
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
Proposed RH 7.3 patch
https://bugzilla.fedora.us/attachment.cgi?action=view&id=993

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Marc Deslauriers 2005-04-05 18:47:27 EDT
*** Bug 152735 has been marked as a duplicate of this bug. ***
Comment 2 Marc Deslauriers 2005-04-05 18:48:26 EDT
*** Bug 152667 has been marked as a duplicate of this bug. ***
Comment 3 Pekka Savola 2005-06-16 08:39:12 EDT
2 VERIFY votes, timeouts in 2 weeks.
Comment 4 Pekka Savola 2005-07-01 14:37:47 EDT
Timeout over, to be released.
Comment 5 Marc Deslauriers 2005-07-10 17:29:05 EDT
Packages were officially released.

Note You need to log in before you can comment on or make changes to this bug.