Red Hat Bugzilla – Bug 198344
CVE-2006-2941 Mailman DoS
Last modified: 2007-11-30 17:07:26 EST
Ubuntu reported a possible Mailman DoS where a malformed message can cause the
mailman server to stop sending out email. Currently embargoed with no proposed
Also may affect RHEL3, RHEL2.1
Created attachment 132224 [details]
Proposed patch from Ubuntu
embargo 20060718 1400 UTC
Embargo may be extended by request of Barry Warsaw. Please don't open this bug
at this time.
Ok, wrote some test cases. RHEL3 and RHEL4 are _NOT_ vulnerable, cause
python-2.3.4-14 has a email/Message.py which does not backtrace with strange
RHEL3's python-2.2.3-5 also does not backtrace..
mailman from RHEL2.1 does not save attachements and does not parse any mime
RHSA-2006:0600 is free for other things... sorry about the false alarm. I just
checked, if the patch would apply.
ok, now I have a better testcase... :-/ traceback..
Created attachment 132821 [details]
test case for traceback of pythons email.Message.get_filename()
Created attachment 133066 [details]
test case for CVE-2006-2941
public, removing embargo
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.