Articles / Red Hat: Updated mailman pa…

Red Hat: Updated mailman packages fix security issues

Mailman is a program used to help manage email discussion lists. A flaw was found in the way Mailman handled MIME multipart messages. An attacker could send a carefully crafted MIME multipart email message to a mailing list run by Mailman which caused that particular mailing list to stop working. Several cross-site scripting (XSS) issues were found in Mailman. An attacker could exploit these issues to perform cross-site scripting attacks against the Mailman administrator. Fixed packages are available from security.debian.org.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                  Red Hat Security Advisory

Synopsis:          Moderate: mailman security update
Advisory ID:       RHSA-2006:0600-01
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2006-0600.html
Issue date:        2006-09-06
Updated on:        2006-09-06
Product:           Red Hat Enterprise Linux
CVE Names:         CVE-2006-2941 CVE-2006-3636
- ---------------------------------------------------------------------

1. Summary:

Updated mailman packages that fix security issues are now available for Red
Hat Enterprise Linux 3 and 4.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Problem description:

Mailman is a program used to help manage email discussion lists.

A flaw was found in the way Mailman handled MIME multipart messages. An
attacker could send a carefully crafted MIME multipart email message to a
mailing list run by Mailman which caused that particular mailing list
to stop working.  (CVE-2006-2941)

Several cross-site scripting (XSS) issues were found in Mailman.  An
attacker could exploit these issues to perform cross-site scripting attacks
against the Mailman administrator.  (CVE-2006-3636)

Red Hat would like to thank Barry Warsaw for disclosing these vulnerabilities.

Users of Mailman should upgrade to these updated packages, which contain
backported patches to correct this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/):

198344 - CVE-2006-2941 Mailman DoS
203704 - CVE-2006-3636 Mailman XSS issues

6. RPMs required:

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/mailman-2.1.5.1-25.rhel3.7.src.rpm
aadc1f8f782b3bb77723aaf58f3075dd  mailman-2.1.5.1-25.rhel3.7.src.rpm

i386:
06ad7a3f4da347456466fa4f5e2fa7c3  mailman-2.1.5.1-25.rhel3.7.i386.rpm
c11347caf70b2d35f6ee3e5ad85a1e2a  mailman-debuginfo-2.1.5.1-25.rhel3.7.i386.rpm

ia64:
930f1caafb3f9a52df581ec287688b77  mailman-2.1.5.1-25.rhel3.7.ia64.rpm
506a05ea921cc2db4a6bd780fe675984  mailman-debuginfo-2.1.5.1-25.rhel3.7.ia64.rpm

ppc:
3b25506baa71db64e4b5f46891995348  mailman-2.1.5.1-25.rhel3.7.ppc.rpm
7b88f8c12c8b1a8dc847bfb847cbd6be  mailman-debuginfo-2.1.5.1-25.rhel3.7.ppc.rpm

s390:
10d5202c49895d7cd7735fd26a631a18  mailman-2.1.5.1-25.rhel3.7.s390.rpm
644052a0ec97d49a7e6f304dcd8d3103  mailman-debuginfo-2.1.5.1-25.rhel3.7.s390.rpm

s390x:
c5db1d523b4ab0107c073d08da7fa067  mailman-2.1.5.1-25.rhel3.7.s390x.rpm
99eb2c04ffa8bbc4d5cc39e580a91036  mailman-debuginfo-2.1.5.1-25.rhel3.7.s390x.rpm

x86_64:
13322c51c7935facde94c51751d9cfed  mailman-2.1.5.1-25.rhel3.7.x86_64.rpm
e558b981f58e456777900935c586acc5  mailman-debuginfo-2.1.5.1-25.rhel3.7.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/mailman-2.1.5.1-25.rhel3.7.src.rpm
aadc1f8f782b3bb77723aaf58f3075dd  mailman-2.1.5.1-25.rhel3.7.src.rpm

i386:
06ad7a3f4da347456466fa4f5e2fa7c3  mailman-2.1.5.1-25.rhel3.7.i386.rpm
c11347caf70b2d35f6ee3e5ad85a1e2a  mailman-debuginfo-2.1.5.1-25.rhel3.7.i386.rpm

x86_64:
13322c51c7935facde94c51751d9cfed  mailman-2.1.5.1-25.rhel3.7.x86_64.rpm
e558b981f58e456777900935c586acc5  mailman-debuginfo-2.1.5.1-25.rhel3.7.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/mailman-2.1.5.1-25.rhel3.7.src.rpm
aadc1f8f782b3bb77723aaf58f3075dd  mailman-2.1.5.1-25.rhel3.7.src.rpm

i386:
06ad7a3f4da347456466fa4f5e2fa7c3  mailman-2.1.5.1-25.rhel3.7.i386.rpm
c11347caf70b2d35f6ee3e5ad85a1e2a  mailman-debuginfo-2.1.5.1-25.rhel3.7.i386.rpm

ia64:
930f1caafb3f9a52df581ec287688b77  mailman-2.1.5.1-25.rhel3.7.ia64.rpm
506a05ea921cc2db4a6bd780fe675984  mailman-debuginfo-2.1.5.1-25.rhel3.7.ia64.rpm

x86_64:
13322c51c7935facde94c51751d9cfed  mailman-2.1.5.1-25.rhel3.7.x86_64.rpm
e558b981f58e456777900935c586acc5  mailman-debuginfo-2.1.5.1-25.rhel3.7.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/mailman-2.1.5.1-25.rhel3.7.src.rpm
aadc1f8f782b3bb77723aaf58f3075dd  mailman-2.1.5.1-25.rhel3.7.src.rpm

i386:
06ad7a3f4da347456466fa4f5e2fa7c3  mailman-2.1.5.1-25.rhel3.7.i386.rpm
c11347caf70b2d35f6ee3e5ad85a1e2a  mailman-debuginfo-2.1.5.1-25.rhel3.7.i386.rpm

ia64:
930f1caafb3f9a52df581ec287688b77  mailman-2.1.5.1-25.rhel3.7.ia64.rpm
506a05ea921cc2db4a6bd780fe675984  mailman-debuginfo-2.1.5.1-25.rhel3.7.ia64.rpm

x86_64:
13322c51c7935facde94c51751d9cfed  mailman-2.1.5.1-25.rhel3.7.x86_64.rpm
e558b981f58e456777900935c586acc5  mailman-debuginfo-2.1.5.1-25.rhel3.7.x86_64.rpm

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/mailman-2.1.5.1-34.rhel4.5.src.rpm
c93f0d4ba430ee583e22565d46ad4ca7  mailman-2.1.5.1-34.rhel4.5.src.rpm

i386:
9ab4155e1c5510abf085c9af828f57eb  mailman-2.1.5.1-34.rhel4.5.i386.rpm
269153aac17ce9e233f78b3ffe8e2aef  mailman-debuginfo-2.1.5.1-34.rhel4.5.i386.rpm

ia64:
a42338d32e130205035d1ffe852fa2d1  mailman-2.1.5.1-34.rhel4.5.ia64.rpm
b32a43800a955c99aaaa63ba45cf723d  mailman-debuginfo-2.1.5.1-34.rhel4.5.ia64.rpm

ppc:
44ad39bb47c903413d8b6ffd930263dd  mailman-2.1.5.1-34.rhel4.5.ppc.rpm
4f2378bf60f794714437f5ae230dba35  mailman-debuginfo-2.1.5.1-34.rhel4.5.ppc.rpm

s390:
338423bc0323023b04f177447ba01fb7  mailman-2.1.5.1-34.rhel4.5.s390.rpm
733544b11b96726a0bade226ddd66abe  mailman-debuginfo-2.1.5.1-34.rhel4.5.s390.rpm

s390x:
e2f64e5975246be9b939d0a6e878fa61  mailman-2.1.5.1-34.rhel4.5.s390x.rpm
aaa1f9d30a557cd0a05e17795372e7ce  mailman-debuginfo-2.1.5.1-34.rhel4.5.s390x.rpm

x86_64:
92921797e6bdab3c60f739a386e47d0b  mailman-2.1.5.1-34.rhel4.5.x86_64.rpm
eff45cff79d327333feac959ebf3e9a4  mailman-debuginfo-2.1.5.1-34.rhel4.5.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/mailman-2.1.5.1-34.rhel4.5.src.rpm
c93f0d4ba430ee583e22565d46ad4ca7  mailman-2.1.5.1-34.rhel4.5.src.rpm

i386:
9ab4155e1c5510abf085c9af828f57eb  mailman-2.1.5.1-34.rhel4.5.i386.rpm
269153aac17ce9e233f78b3ffe8e2aef  mailman-debuginfo-2.1.5.1-34.rhel4.5.i386.rpm

x86_64:
92921797e6bdab3c60f739a386e47d0b  mailman-2.1.5.1-34.rhel4.5.x86_64.rpm
eff45cff79d327333feac959ebf3e9a4  mailman-debuginfo-2.1.5.1-34.rhel4.5.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/mailman-2.1.5.1-34.rhel4.5.src.rpm
c93f0d4ba430ee583e22565d46ad4ca7  mailman-2.1.5.1-34.rhel4.5.src.rpm

i386:
9ab4155e1c5510abf085c9af828f57eb  mailman-2.1.5.1-34.rhel4.5.i386.rpm
269153aac17ce9e233f78b3ffe8e2aef  mailman-debuginfo-2.1.5.1-34.rhel4.5.i386.rpm

ia64:
a42338d32e130205035d1ffe852fa2d1  mailman-2.1.5.1-34.rhel4.5.ia64.rpm
b32a43800a955c99aaaa63ba45cf723d  mailman-debuginfo-2.1.5.1-34.rhel4.5.ia64.rpm

x86_64:
92921797e6bdab3c60f739a386e47d0b  mailman-2.1.5.1-34.rhel4.5.x86_64.rpm
eff45cff79d327333feac959ebf3e9a4  mailman-debuginfo-2.1.5.1-34.rhel4.5.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/mailman-2.1.5.1-34.rhel4.5.src.rpm
c93f0d4ba430ee583e22565d46ad4ca7  mailman-2.1.5.1-34.rhel4.5.src.rpm

i386:
9ab4155e1c5510abf085c9af828f57eb  mailman-2.1.5.1-34.rhel4.5.i386.rpm
269153aac17ce9e233f78b3ffe8e2aef  mailman-debuginfo-2.1.5.1-34.rhel4.5.i386.rpm

ia64:
a42338d32e130205035d1ffe852fa2d1  mailman-2.1.5.1-34.rhel4.5.ia64.rpm
b32a43800a955c99aaaa63ba45cf723d  mailman-debuginfo-2.1.5.1-34.rhel4.5.ia64.rpm

x86_64:
92921797e6bdab3c60f739a386e47d0b  mailman-2.1.5.1-34.rhel4.5.x86_64.rpm
eff45cff79d327333feac959ebf3e9a4  mailman-debuginfo-2.1.5.1-34.rhel4.5.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2941
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3636
http://www.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is .  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2006 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFE/zKzXlSAg2UNWIIRAqEyAJ9Ro5wLPn6TUU7bVonW1v9+6DYBFQCfWTDe
oiue7/oP/26AR6AN4NsplC0=
=2jQJ
-----END PGP SIGNATURE-----
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.