Bug 205651 - (CVE-2006-4624) CVE-2006-4624 mailman logfile CRLF injection
CVE-2006-4624 mailman logfile CRLF injection
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Tomas Smetana
impact=low,source=vendorsec,reported=...
: Security
Depends On: 251308 251309 251310
Blocks:
  Show dependency treegraph
 
Reported: 2006-09-07 16:41 EDT by Josh Bressers
Modified: 2008-01-15 08:39 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-15 08:39:36 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2006-09-07 16:41:03 EDT
mailman logfile CRLF injection

Text taken from MITRE:
CRLF injection vulnerability in Utils.py in Mailman before 2.1.9rc1
allows remote attackers to spoof messages in the error log and
possibly trick the administrator into visiting malicious URLs via a
carriage return/line feed sequences in the URI.

The fix for this issue is here:
http://svn.sourceforge.net/viewvc/mailman/?revision=7918&view=rev


This issue also affects RHEL3
This issue also affects RHEL2.1
Comment 1 RHEL Product and Program Management 2007-05-09 05:41:28 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 8 Josh Bressers 2007-09-05 17:02:22 EDT
The risks associated with fixing this bug are greater than the low severity
security risk. We therefore currently have no plans to fix this flaw in Red Hat
Enterprise Linux 2.1 and 3 which are in maintenance mode.

This bug will be addressed in a future update of Red Hat Enterprise Linux 4.

If you believe this judgement to be in error, please reopen this bug with an
appropriate comment.
Comment 10 Red Hat Product Security 2008-01-15 08:39:36 EST
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2007-0779.html


Note You need to log in before you can comment on or make changes to this bug.