lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20080315180736.GC12265@outflux.net>
Date: Sat, 15 Mar 2008 11:07:36 -0700
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: [USN-586-1] mailman vulnerability

=========================================================== 
Ubuntu Security Notice USN-586-1             March 15, 2008
mailman vulnerability
CVE-2008-0564
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  mailman                         2.1.5-9ubuntu4.2

Ubuntu 6.10:
  mailman                         1:2.1.8-2ubuntu2.1

Ubuntu 7.04:
  mailman                         1:2.1.9-4ubuntu1.2

Ubuntu 7.10:
  mailman                         1:2.1.9-8ubuntu0.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.

NOTE: Due to an internal release testing mistake, earlier
published mailman versions 1:2.1.9-4ubuntu1.1 (for Ubuntu
7.04) and 1:2.1.9-8ubuntu0.1 (for Ubuntu 7.10) accidentally
included an incorrect patch and caused a regression, as reported in
https://launchpad.net/bugs/202332

This update includes fixes for the problem.  We apologize for the
inconvenience.

Details follow:

Multiple cross-site scripting flaws were discovered in mailman.
A malicious list administrator could exploit this to execute arbitrary
JavaScript, potentially stealing user credentials.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2.diff.gz
      Size/MD5:   231090 d3e7124adf9454e2754e41c98df1a79c
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2.dsc
      Size/MD5:      626 0ac6344f31b1fd756ff3c724a059c907
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5.orig.tar.gz
      Size/MD5:  5745912 f5f56f04747cd4aff67427e7a45631af

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2_amd64.deb
      Size/MD5:  6613254 72d9727b248c5e8ac1ffe6699989b546

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2_i386.deb
      Size/MD5:  6612872 6fa80a2c5f9fb4ef86fc37f5948eb7ea

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2_powerpc.deb
      Size/MD5:  6621726 45ad75a62c903f80ccaed21d8bff8e0f

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2_sparc.deb
      Size/MD5:  6620818 7dc3bc18e981e78fa7d9e18bda151ecc

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1.diff.gz
      Size/MD5:   203009 ee4a019ea676c82f040bad51a13f2a04
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1.dsc
      Size/MD5:      819 53355a3ca08c288d785123da51dbb10e
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8.orig.tar.gz
      Size/MD5:  6856039 b9308ea3ffe8dd447458338408d46bd6

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1_amd64.deb
      Size/MD5:  8017888 34628b56f38515676c840c10f2aa100d

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1_i386.deb
      Size/MD5:  8016276 18b60f0774f2f664d5505391834ed0c6

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1_powerpc.deb
      Size/MD5:  8025122 20b2783ab25dd270751211463fdedc77

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1_sparc.deb
      Size/MD5:  8023672 02dd507266718e196abef08311a995b5

Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ubuntu1.2.diff.gz
      Size/MD5:   142531 2e32aeebcbf3d45e498d4241bf1cf0c8
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ubuntu1.2.dsc
      Size/MD5:      981 0c8c78087bcf0213f17013c94fea9764
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9.orig.tar.gz
      Size/MD5:  7829201 dd51472470f9eafb04f64da372444835

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ubuntu1.2_amd64.deb
      Size/MD5:  8606862 74502c6c9e9a8bb277c6f741abd46541

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ubuntu1.2_i386.deb
      Size/MD5:  8605384 46330ecad45d07957ac827e5f8e944e2

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ubuntu1.2_powerpc.deb
      Size/MD5:  8617812 08c3457654498fb0e944c6900c1111fa

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ubuntu1.2_sparc.deb
      Size/MD5:  8616850 d847a99c6173ffa101f5986cfd9ce9cf

Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-8ubuntu0.2.diff.gz
      Size/MD5:   151248 242099c74ff77d643fab04b0aeffee33
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-8ubuntu0.2.dsc
      Size/MD5:     1032 97fd7fe28a0f1d32b95c3afd9cf1946a
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9.orig.tar.gz
      Size/MD5:  7829201 dd51472470f9eafb04f64da372444835

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-8ubuntu0.2_amd64.deb
      Size/MD5:  8613496 982f4c248795c6555bdb62a0747a429d

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-8ubuntu0.2_i386.deb
      Size/MD5:  8611448 94ad8c328a6367196dffcd38f3a56d17

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-8ubuntu0.2_powerpc.deb
      Size/MD5:  8627854 a0b4e25a6c5892b77845f192e8d0ae70

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-8ubuntu0.2_sparc.deb
      Size/MD5:  8626282 2f318a3fc2a9bd1e50e4df96e15bdad1


Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ