Support / Security / Advisories / Corporate Server 4.0 / MDVSA-2011:036

Package name: mailman
Date: 2011-02-23
Advisory ID: MDVSA-2011:036
Affected versions: 2009.0 x86_64 , MES5 i586 , 2010.0 x86_64 , 2010.1 i586 , 2010.0 i586 , 2009.0 i586 , CS4.0 i586 , CS4.0 x86_64 , MES5 x86_64 , 2010.1 x86_64

Problem description

A vulnerability has been found and corrected in mailman:

Multiple cross-site scripting (XSS) vulnerabilities in Cgi/confirm.py
in GNU Mailman 2.1.14 and earlier allow remote attackers to inject
arbitrary web script or HTML via the (1) full name or (2) username
field in a confirmation message (CVE-2011-0707).

Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct this issue.

Updated packages

2009.0 x86_64

 3a07afa82cf9334e9d2cbd88208c578a  2009.0/x86_64/mailman-2.1.11-1.3mdv2009.0.x86_64.rpm 
 79afe7d6091352e440e02107ab466efe  2009.0/SRPMS/mailman-2.1.11-1.3mdv2009.0.src.rpm

MES5 i586

 ecfdebbe4501d6d2ff60834f9050d9f7  mes5/i586/mailman-2.1.11-1.3mdvmes5.1.i586.rpm 
 c828514e473947b0b21d90db6d5c56eb  mes5/SRPMS/mailman-2.1.11-1.3mdvmes5.1.src.rpm

2010.0 x86_64

 9997c9ffed7a9672c92282c73f187aa1  2010.0/x86_64/mailman-2.1.12-3.3mdv2010.0.x86_64.rpm 
 4e461a2eb191aa9665ae4c8723ac1b17  2010.0/SRPMS/mailman-2.1.12-3.3mdv2010.0.src.rpm

2010.1 i586

 3c4ec4ef441084a5011d9c10b441df56  2010.1/i586/mailman-2.1.13-1.3mdv2010.2.i586.rpm 
 2376bf5d3a1669352dfd8f11840bea55  2010.1/SRPMS/mailman-2.1.13-1.3mdv2010.2.src.rpm

2010.0 i586

 20c696c21b949cb810f055d3b3803a12  2010.0/i586/mailman-2.1.12-3.3mdv2010.0.i586.rpm 
 4e461a2eb191aa9665ae4c8723ac1b17  2010.0/SRPMS/mailman-2.1.12-3.3mdv2010.0.src.rpm

2009.0 i586

 47a36cb8bb5464358047e119a573f0fb  2009.0/i586/mailman-2.1.11-1.3mdv2009.0.i586.rpm 
 79afe7d6091352e440e02107ab466efe  2009.0/SRPMS/mailman-2.1.11-1.3mdv2009.0.src.rpm

CS4.0 i586

 1ba9ef634bf145c569009dbc7f717f65  corporate/4.0/i586/mailman-2.1.6-6.5.20060mlcs4.i586.rpm 
 d9e1706712003f86bcb18dcc0fbb9307  corporate/4.0/SRPMS/mailman-2.1.6-6.5.20060mlcs4.src.rpm

CS4.0 x86_64

 f151b2121b079b4821c2d88e276c1a19  corporate/4.0/x86_64/mailman-2.1.6-6.5.20060mlcs4.x86_64.rpm 
 d9e1706712003f86bcb18dcc0fbb9307  corporate/4.0/SRPMS/mailman-2.1.6-6.5.20060mlcs4.src.rpm

MES5 x86_64

 b6d9bfdaf7e2f33f942d1f3408eebb02  mes5/x86_64/mailman-2.1.11-1.3mdvmes5.1.x86_64.rpm 
 c828514e473947b0b21d90db6d5c56eb  mes5/SRPMS/mailman-2.1.11-1.3mdvmes5.1.src.rpm

2010.1 x86_64

 3d6740a45395643aea20eaa55c584668  2010.1/x86_64/mailman-2.1.13-1.3mdv2010.2.x86_64.rpm 
 2376bf5d3a1669352dfd8f11840bea55  2010.1/SRPMS/mailman-2.1.13-1.3mdv2010.2.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0707