Bug 193843 - CVE-2006-0052 Mailman DoS, CVE-2006-1712 Mailman cross site scripting bug and CVE-2005-3573 Mailman Denial of Service (CVE-2005-4153); also CAN-2004-1177 Cross-site scripting (XSS) vulnerability
CVE-2006-0052 Mailman DoS, CVE-2006-1712 Mailman cross site scripting bug an...
Status: CLOSED NEXTRELEASE
Product: Fedora Legacy
Classification: Retired
Component: mailman (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
LEGACY, rh73, rh90, 1, 2, 3, NEEDSWORK
: Security
Depends On: 173140 187420 188605
Blocks:
  Show dependency treegraph
 
Reported: 2006-06-02 00:57 EDT by kashif
Modified: 2007-04-30 03:33 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-04-30 03:33:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description kashif 2006-06-02 00:57:52 EDT
Mailman DoS allows remote attackers to cause a denial of service by using
multipart MIME message with a single part MIME message.

Mailman cross site scripting bug allows remote attackers to inject arbitrary web
script in the form ofaction argument.

In Mailman Denial of Service application crash and server message "fail with an
Overflow on bad date data in a processed message".

http://www.redhat.com/archives/fedora-test-list/2006-May/msg00131.html
http://www.redhat.com/archives/fedora-package-announce/2006-May/msg00134.htm
http://www.redhat.com/archives/fedora-package-announce/2006-May/msg00135.html
Comment 2 David Eisenstein 2006-06-04 23:10:49 EDT
In addition to the vulnerabilities mentioned above, since the last update of
mailman done by legacy for RHL 7.3, RHL 9, and FC1 in Feb, 2005 and released in
July, 2005 (that fixed CAN-2005-0202), another bug had been found and fixed in
FC2 and FC3 - CAN-2004-1177 (See Bug # 151643 for FC and Bug #147833 for RHEL).

(<http://www.redhat.com/archives/fedora-announce-list/2005-March/msg00058.html>)
"A cross-site scripting (XSS) flaw in the driver script of mailman
prior to version 2.1.5 could allow remote attackers to execute scripts
as other web users. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-1177 to this issue.

"Users of mailman should update to this erratum package, which corrects
this issue by turning on STEALTH_MODE by default and using
Utils.websafe() to quote the html."

The only Legacy packages which may be affected by CAN-2004-1177 are these:
  * mailman-2.0.13-7.legacy (RHL 7.3, built 11-Feb-2005)
  * mailman-2.0.13-7.legacy (RHL 9, built 10-Feb-2005)
  * mailman-2.1.5-8.legacy (FC 1, built 10-Feb-2005)

with Red Hat already having applied fixes for CAN-2004-1177 for these:
  * mailman-2.1.5-10.fc2 (FC 2, built 22-Mar-2005)
  * mailman-2.1.5-32.fc3 (FC 3, built 22-Mar-2005).
Comment 3 David Eisenstein 2006-06-04 23:35:48 EDT
Typo in comment #2.  The RHL 9 version of mailman build 10-Feb-2005, which is
likely vulnerable to CAN-2004-1177 is mailman-2.1.1-8.legacy.
Comment 4 David Eisenstein 2006-06-05 03:10:36 EDT
-----------
For CVE-2005-3573 and CVE-2005-4153, on 7-Mar-2006 RH issued RHSA-2006-0204 for
RHEL 3 & 4, <http://rhn.redhat.com/errata/RHSA-2006-0204.html>:

"A flaw in handling of UTF8 character encodings was found in Mailman.  An
attacker could send a carefully crafted email message to a mailing list run
by Mailman which would cause that particular mailing list to stop working.
The Common Vulnerabilities and Exposures project assigned the name
CVE-2005-3573 to this issue.

"A flaw in date handling was found in Mailman version 2.1.4 through 2.1.6. 
An attacker could send a carefully crafted email message to a mailing list
run by Mailman which would cause the Mailman server to crash.  (CVE-2005-4153).

"Users of Mailman should upgrade to this updated package, which contains
backported patches to correct these issues."

RH did not issue updates for the RHEL 2.1 version in this RHSA, so this issue
may not affect RHL 7.3.  These two CVE's likely affect RHL 9, FC1, FC2, & FC3.

RHEL 3:  mailman-2.1.5.1-25.rhel3.4.src.rpm
RHEL 4:  mailman-2.1.5.1-34.rhel4.2.src.rpm

----------
For CVE-2006-0052 - "The attachment scrubber (Scrubber.py) in Mailman 2.1.5 and
earlier, when using Python's library email module 2.5, allows remote attackers
to cause a denial of service (mailing list delivery failure) via a multipart
MIME message with a single part that has two blank lines between the first
boundary and the end boundary."

RedHat currently has Bug #187420 open for this issue for RHEL 3 & 4.  According
to Josh Bressers in Bug 187420 comment #0, this was fixed in mailman 2.1.6, and
here is the patch:
http://cvs.sourceforge.net/viewcvs.py/mailman/mailman/Mailman/Handlers/Scrubber.py?r1=2.18.2.12&r2=2.18.2.13

Again, this issue may not affect RHL 7.3, as no mention of RHEL 2.1 is made in
this bug 187420.  This CVE likely affects RHL 9, FC1, FC2, & FC3.

From Bug 187420 comment #3, it appears these versions are in testing as of now:
RHEL 3:  mailman-2.1.5.1-25.rhel3.5
RHEL 4:  mailman-2.1.5.1-34.rhel4.3

Reference:  Bugtraq ID 17311, http://www.securityfocus.com/bid/17311

---------
For CVE-2006-1712 -- "Cross-site scripting (XSS) vulnerability in the private
archive script (private.py) in GNU Mailman 2.1.7 allows remote attackers to
inject arbitrary web script or HTML via the action argument."

We may need to research whether this bug affects any of our Legacy distros;
since it claims it only affects Mailman 2.1.7, it may not affect us.

Josh Bressers indicates a patch is in Attachment 127627 [details] (Bug 188605 comment #1).

Reference:  Bugtraq ID 17403, http://www.securityfocus.com/bid/17403
Comment 5 Neil Horman 2006-06-14 07:17:33 EDT
*** Bug 194103 has been marked as a duplicate of this bug. ***
Comment 6 Tomas Smetana 2007-04-30 03:33:59 EDT
Fedora Legacy project has been discontinued. The recent Fedora products are
shipped with Mailman 2.1.9 or newer wich is not affected by the mentioned issues.

Note You need to log in before you can comment on or make changes to this bug.