lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1298407616.28687.0.camel@localhost>
Date: Tue, 22 Feb 2011 15:46:56 -0500
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-1069-1] Mailman vulnerabilities

===========================================================
Ubuntu Security Notice USN-1069-1         February 22, 2011
mailman vulnerabilities
CVE-2010-3089, CVE-2011-0707
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 9.10
Ubuntu 10.04 LTS
Ubuntu 10.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  mailman                         2.1.5-9ubuntu4.4

Ubuntu 8.04 LTS:
  mailman                         1:2.1.9-9ubuntu1.4

Ubuntu 9.10:
  mailman                         1:2.1.12-2ubuntu0.2

Ubuntu 10.04 LTS:
  mailman                         1:2.1.13-1ubuntu0.2

Ubuntu 10.10:
  mailman                         1:2.1.13-4ubuntu0.2

In general, a standard system update will make all the necessary changes.

Details follow:

It was discovered that Mailman did not properly sanitize certain fields,
resulting in cross-site scripting (XSS) vulnerabilities. With cross-site
scripting vulnerabilities, if a user were tricked into viewing server
output during a crafted server request, a remote attacker could exploit
this to modify the contents, or steal confidential data, within the same
domain.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.4.diff.gz
      Size/MD5:   233552 f863a1a24aa3b324374c5ef6c73d40e8
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.4.dsc
      Size/MD5:     1275 5c7aff5e4724b0f37e73165c57174819
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5.orig.tar.gz
      Size/MD5:  5745912 f5f56f04747cd4aff67427e7a45631af

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.4_amd64.deb
      Size/MD5:  6613272 9f61121b704896caa6ed77d0ecf3bb3e

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.4_i386.deb
      Size/MD5:  6612918 e0ee85728d3349f90fbf36b0cb3ef078

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.4_powerpc.deb
      Size/MD5:  6621704 92138c75ca590f02763727761e041db5

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.4_sparc.deb
      Size/MD5:  6620798 70a0a6a54efd9bc2b4904e06949dcbce

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-9ubuntu1.4.diff.gz
      Size/MD5:   158439 e5ed6d3259079e68a5ee38fdd47a907d
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-9ubuntu1.4.dsc
      Size/MD5:     1669 610063181cf5ee4314d2df4af31c62c5
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9.orig.tar.gz
      Size/MD5:  7829201 dd51472470f9eafb04f64da372444835

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-9ubuntu1.4_amd64.deb
      Size/MD5:  8671516 3072aa6019cc442661eff312f628ccbb

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-9ubuntu1.4_i386.deb
      Size/MD5:  8640154 beb8264b8e628f15d359c4b65f3baf85

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.9-9ubuntu1.4_lpia.deb
      Size/MD5:  8611876 f8082dcf4989f1c7052cd54bfb5630cf

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.9-9ubuntu1.4_powerpc.deb
      Size/MD5:  8628114 04879eedca47927978251e607955b30b

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.9-9ubuntu1.4_sparc.deb
      Size/MD5:  8626834 b6f986a944335509cd9c0281f88a88b8

Updated packages for Ubuntu 9.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.12-2ubuntu0.2.diff.gz
      Size/MD5:   129415 ee767ed05a51dc926f2402f9c5592cea
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.12-2ubuntu0.2.dsc
      Size/MD5:     2078 5fd10464412a48d0875610cd9e0c2a19
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.12.orig.tar.gz
      Size/MD5:  8010027 d565a6d2d0ec6d2dd6936a81e1c1ca86

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.12-2ubuntu0.2_amd64.deb
      Size/MD5:  9393936 5acbe839045cf9b33948958dd69dbdc8

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.12-2ubuntu0.2_i386.deb
      Size/MD5:  9363122 64ffecf8d9adfd4f3ca01b7d9428db49

  armel architecture (ARM Architecture):

    http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.12-2ubuntu0.2_armel.deb
      Size/MD5:  9407048 144a873bb812fc837b10079379639f1c

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.12-2ubuntu0.2_lpia.deb
      Size/MD5:  9356806 f53911a575b7f06f60ac158de5224acd

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.12-2ubuntu0.2_powerpc.deb
      Size/MD5:  9373174 ef27d5c97911d7e64ed7574dc86c5a6a

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.12-2ubuntu0.2_sparc.deb
      Size/MD5:  9372306 67fb68e61b9d698fd9ebc6e74ce6e4cd

Updated packages for Ubuntu 10.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13-1ubuntu0.2.diff.gz
      Size/MD5:   134303 2229842594cc9fc00db4f0633316abfc
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13-1ubuntu0.2.dsc
      Size/MD5:     2078 c330e0f5c5ca37e2fc3d7dfdaf9da0d2
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13.orig.tar.gz
      Size/MD5:  8166504 3235323ccb3e0135c10b7c66a440390b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13-1ubuntu0.2_amd64.deb
      Size/MD5:  9677028 a4793a40c0ffe113a154bae5f7d9cd75

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13-1ubuntu0.2_i386.deb
      Size/MD5:  9641550 8ad8a21ee56150ff069d5e5197a1e7c0

  armel architecture (ARM Architecture):

    http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.13-1ubuntu0.2_armel.deb
      Size/MD5:  9619320 517d2559597c601573bdd628a093870d

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.13-1ubuntu0.2_powerpc.deb
      Size/MD5:  9651904 d8bc1bf9b54dab78380bb6a073b44328

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.13-1ubuntu0.2_sparc.deb
      Size/MD5:  9650100 1433d2eb4465077fbad862ef98ee1860

Updated packages for Ubuntu 10.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13-4ubuntu0.2.debian.tar.gz
      Size/MD5:   109828 933f9ecfe7c2672da7b724ac541e2038
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13-4ubuntu0.2.dsc
      Size/MD5:     2097 3378c8f3bd8cb0e0b5ca9b8c63557a53
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13.orig.tar.gz
      Size/MD5:  8166504 3235323ccb3e0135c10b7c66a440390b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13-4ubuntu0.2_amd64.deb
      Size/MD5:  9648452 b9bc35f67ec1f3db9efa1d2f61760ca8

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13-4ubuntu0.2_i386.deb
      Size/MD5:  9645592 108df9f1b5147b5be4745f5657215f0d

  armel architecture (ARM Architecture):

    http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.13-4ubuntu0.2_armel.deb
      Size/MD5:  9635070 6c94be0d85698bcd3d17c4d506402ddd

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.13-4ubuntu0.2_powerpc.deb
      Size/MD5:  9653076 75733af85973ae42ae96926cf17ad4d0




Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ