Home > Security > Advisories

Advisories

Mandriva Advisories

Package name mailman
Date September 18th, 2006
Advisory ID MDKSA-2006:165
Affected versions CS3.0, 2006.0
Synopsis Updated mailman packages fix multiple vulnerabilities

Problem Description

A flaw was discovered in how Mailman handles MIME multipart messages
where an attacker could send a carefully-crafted MIME multipart
message to a Mailman-run mailing list causing that mailing list to
stop working (CVE-2006-2941).

As well, a number of XSS (cross-site scripting) issues were discovered
that could be exploited to perform XSS attacks against the Mailman
administrator (CVE-2006-3636).

Finally, a CRLF injection vulnerability allows remote attackers to
spoof messages in the error log (CVE-2006-4624).

Updated packages have been patched to address these issues.

Updated Packages

Corporate Server 3.0

 2f43ed2ac1274394b252a1dca99cf825  corporate/3.0/RPMS/mailman-2.1.4-2.8.C30mdk.i586.rpm
 c7f43a47a27a1a1a074af957b9262c43  corporate/3.0/SRPMS/mailman-2.1.4-2.8.C30mdk.src.rpm

Corporate Server 3.0/X86_64

 36c2945ad0699607b445f8df2df551d5  x86_64/corporate/3.0/RPMS/mailman-2.1.4-2.8.C30mdk.x86_64.rpm
 c7f43a47a27a1a1a074af957b9262c43  x86_64/corporate/3.0/SRPMS/mailman-2.1.4-2.8.C30mdk.src.rpm

Mandriva Linux 2006

 9979002d16562b3e62ceb6cfd21b45c6  2006.0/RPMS/mailman-2.1.6-6.4.20060mdk.i586.rpm
 9b26c36c23c2a417df0d7772d97071ff  2006.0/SRPMS/mailman-2.1.6-6.4.20060mdk.src.rpm

Mandriva Linux 2006/X86_64

 2ea71bec743e2fd8ff33724f99a3e5e8  x86_64/2006.0/RPMS/mailman-2.1.6-6.4.20060mdk.x86_64.rpm
 9b26c36c23c2a417df0d7772d97071ff  x86_64/2006.0/SRPMS/mailman-2.1.6-6.4.20060mdk.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2941
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3636
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4624

Upgrade

To upgrade automatically, use MandrivaUpdate.


Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.