[USN-586-1] mailman vulnerability
Date: Sat, 15 Mar 2008 11:07:36 -0700
From: Kees Cook <kees@ubuntu.com.>
To: [email protected]
Subject: [USN-586-1] mailman vulnerability
Message-ID: <20080315180736.GC12265@outflux.net.>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="yrj/dFKFPuw6o+aM"
Content-Disposition: inline
Organization: Ubuntu
X-MIMEDefang-Filter: outflux$Revision: 1.309 $
X-HELO: www.outflux.net
X-Scanned-By: MIMEDefang 2.57 on 10.2.0.1
X-Virus-Scanned: antivirus-gw at tyumen.ru
--yrj/dFKFPuw6o+aM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=20
Ubuntu Security Notice USN-586-1 March 15, 2008
mailman vulnerability
CVE-2008-0564
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
mailman 2.1.5-9ubuntu4.2
Ubuntu 6.10:
mailman 1:2.1.8-2ubuntu2.1
Ubuntu 7.04:
mailman 1:2.1.9-4ubuntu1.2
Ubuntu 7.10:
mailman 1:2.1.9-8ubuntu0.2
In general, a standard system upgrade is sufficient to effect the
necessary changes.
NOTE: Due to an internal release testing mistake, earlier
published mailman versions 1:2.1.9-4ubuntu1.1 (for Ubuntu
7.04) and 1:2.1.9-8ubuntu0.1 (for Ubuntu 7.10) accidentally
included an incorrect patch and caused a regression, as reported in
https://launchpad.net/bugs/202332
This update includes fixes for the problem. We apologize for the
inconvenience.
Details follow:
Multiple cross-site scripting flaws were discovered in mailman.
A malicious list administrator could exploit this to execute arbitrary
JavaScript, potentially stealing user credentials.
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ub=
untu4.2.diff.gz
Size/MD5: 231090 d3e7124adf9454e2754e41c98df1a79c
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ub=
untu4.2.dsc
Size/MD5: 626 0ac6344f31b1fd756ff3c724a059c907
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5.ori=
g.tar.gz
Size/MD5: 5745912 f5f56f04747cd4aff67427e7a45631af
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ub=
untu4.2_amd64.deb
Size/MD5: 6613254 72d9727b248c5e8ac1ffe6699989b546
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ub=
untu4.2_i386.deb
Size/MD5: 6612872 6fa80a2c5f9fb4ef86fc37f5948eb7ea
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ub=
untu4.2_powerpc.deb
Size/MD5: 6621726 45ad75a62c903f80ccaed21d8bff8e0f
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ub=
untu4.2_sparc.deb
Size/MD5: 6620818 7dc3bc18e981e78fa7d9e18bda151ecc
Updated packages for Ubuntu 6.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ub=
untu2.1.diff.gz
Size/MD5: 203009 ee4a019ea676c82f040bad51a13f2a04
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ub=
untu2.1.dsc
Size/MD5: 819 53355a3ca08c288d785123da51dbb10e
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8.ori=
g.tar.gz
Size/MD5: 6856039 b9308ea3ffe8dd447458338408d46bd6
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ub=
untu2.1_amd64.deb
Size/MD5: 8017888 34628b56f38515676c840c10f2aa100d
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ub=
untu2.1_i386.deb
Size/MD5: 8016276 18b60f0774f2f664d5505391834ed0c6
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ub=
untu2.1_powerpc.deb
Size/MD5: 8025122 20b2783ab25dd270751211463fdedc77
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ub=
untu2.1_sparc.deb
Size/MD5: 8023672 02dd507266718e196abef08311a995b5
Updated packages for Ubuntu 7.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ub=
untu1.2.diff.gz
Size/MD5: 142531 2e32aeebcbf3d45e498d4241bf1cf0c8
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ub=
untu1.2.dsc
Size/MD5: 981 0c8c78087bcf0213f17013c94fea9764
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9.ori=
g.tar.gz
Size/MD5: 7829201 dd51472470f9eafb04f64da372444835
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ub=
untu1.2_amd64.deb
Size/MD5: 8606862 74502c6c9e9a8bb277c6f741abd46541
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ub=
untu1.2_i386.deb
Size/MD5: 8605384 46330ecad45d07957ac827e5f8e944e2
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ub=
untu1.2_powerpc.deb
Size/MD5: 8617812 08c3457654498fb0e944c6900c1111fa
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ub=
untu1.2_sparc.deb
Size/MD5: 8616850 d847a99c6173ffa101f5986cfd9ce9cf
Updated packages for Ubuntu 7.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-8ub=
untu0.2.diff.gz
Size/MD5: 151248 242099c74ff77d643fab04b0aeffee33
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-8ub=
untu0.2.dsc
Size/MD5: 1032 97fd7fe28a0f1d32b95c3afd9cf1946a
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9.ori=
g.tar.gz
Size/MD5: 7829201 dd51472470f9eafb04f64da372444835
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-8ub=
untu0.2_amd64.deb
Size/MD5: 8613496 982f4c248795c6555bdb62a0747a429d
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-8ub=
untu0.2_i386.deb
Size/MD5: 8611448 94ad8c328a6367196dffcd38f3a56d17
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-8ub=
untu0.2_powerpc.deb
Size/MD5: 8627854 a0b4e25a6c5892b77845f192e8d0ae70
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-8ub=
untu0.2_sparc.deb
Size/MD5: 8626282 2f318a3fc2a9bd1e50e4df96e15bdad1
--yrj/dFKFPuw6o+aM
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH3BBoH/9LqRcGPm0RAqKSAJ0X0p8GEzM9v58JUzDkU0dkMwP70wCfdfC6
g0JyO66Epv3zlEwUTHuAIfY=
=R+IT
-----END PGP SIGNATURE-----
--yrj/dFKFPuw6o+aM--