MDKSA-2006:165

Package name

mailman

Date

2006-09-18

Advisory ID

MDKSA-2006:165

Affected versions

CS3.0 i586 , 2006.0 i586 , 2006.0 x86_64 , CS3.0 x86_64

Problem description

A flaw was discovered in how Mailman handles MIME multipart messages
where an attacker could send a carefully-crafted MIME multipart
message to a Mailman-run mailing list causing that mailing list to
stop working (CVE-2006-2941).

As well, a number of XSS (cross-site scripting) issues were discovered
that could be exploited to perform XSS attacks against the Mailman
administrator (CVE-2006-3636).

Finally, a CRLF injection vulnerability allows remote attackers to
spoof messages in the error log (CVE-2006-4624).

Updated packages have been patched to address these issues.

Updated packages

CS3.0 i586

 2f43ed2ac1274394b252a1dca99cf825  corporate/3.0/RPMS/mailman-2.1.4-2.8.C30mdk.i586.rpm
 c7f43a47a27a1a1a074af957b9262c43  corporate/3.0/SRPMS/mailman-2.1.4-2.8.C30mdk.src.rpm

2006.0 i586

 9979002d16562b3e62ceb6cfd21b45c6  2006.0/RPMS/mailman-2.1.6-6.4.20060mdk.i586.rpm
 9b26c36c23c2a417df0d7772d97071ff  2006.0/SRPMS/mailman-2.1.6-6.4.20060mdk.src.rpm

2006.0 x86_64

 2ea71bec743e2fd8ff33724f99a3e5e8  x86_64/2006.0/RPMS/mailman-2.1.6-6.4.20060mdk.x86_64.rpm
 9b26c36c23c2a417df0d7772d97071ff  x86_64/2006.0/SRPMS/mailman-2.1.6-6.4.20060mdk.src.rpm

CS3.0 x86_64

 36c2945ad0699607b445f8df2df551d5  x86_64/corporate/3.0/RPMS/mailman-2.1.4-2.8.C30mdk.x86_64.rpm
 c7f43a47a27a1a1a074af957b9262c43  x86_64/corporate/3.0/SRPMS/mailman-2.1.4-2.8.C30mdk.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2941
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3636
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4624