[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1298407616.28687.0.camel@localhost>
Date: Tue, 22 Feb 2011 15:46:56 -0500
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-1069-1] Mailman vulnerabilities
===========================================================
Ubuntu Security Notice USN-1069-1 February 22, 2011
mailman vulnerabilities
CVE-2010-3089, CVE-2011-0707
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 9.10
Ubuntu 10.04 LTS
Ubuntu 10.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
mailman 2.1.5-9ubuntu4.4
Ubuntu 8.04 LTS:
mailman 1:2.1.9-9ubuntu1.4
Ubuntu 9.10:
mailman 1:2.1.12-2ubuntu0.2
Ubuntu 10.04 LTS:
mailman 1:2.1.13-1ubuntu0.2
Ubuntu 10.10:
mailman 1:2.1.13-4ubuntu0.2
In general, a standard system update will make all the necessary changes.
Details follow:
It was discovered that Mailman did not properly sanitize certain fields,
resulting in cross-site scripting (XSS) vulnerabilities. With cross-site
scripting vulnerabilities, if a user were tricked into viewing server
output during a crafted server request, a remote attacker could exploit
this to modify the contents, or steal confidential data, within the same
domain.
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.4.diff.gz
Size/MD5: 233552 f863a1a24aa3b324374c5ef6c73d40e8
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.4.dsc
Size/MD5: 1275 5c7aff5e4724b0f37e73165c57174819
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5.orig.tar.gz
Size/MD5: 5745912 f5f56f04747cd4aff67427e7a45631af
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.4_amd64.deb
Size/MD5: 6613272 9f61121b704896caa6ed77d0ecf3bb3e
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.4_i386.deb
Size/MD5: 6612918 e0ee85728d3349f90fbf36b0cb3ef078
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.4_powerpc.deb
Size/MD5: 6621704 92138c75ca590f02763727761e041db5
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.4_sparc.deb
Size/MD5: 6620798 70a0a6a54efd9bc2b4904e06949dcbce
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-9ubuntu1.4.diff.gz
Size/MD5: 158439 e5ed6d3259079e68a5ee38fdd47a907d
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-9ubuntu1.4.dsc
Size/MD5: 1669 610063181cf5ee4314d2df4af31c62c5
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9.orig.tar.gz
Size/MD5: 7829201 dd51472470f9eafb04f64da372444835
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-9ubuntu1.4_amd64.deb
Size/MD5: 8671516 3072aa6019cc442661eff312f628ccbb
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-9ubuntu1.4_i386.deb
Size/MD5: 8640154 beb8264b8e628f15d359c4b65f3baf85
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.9-9ubuntu1.4_lpia.deb
Size/MD5: 8611876 f8082dcf4989f1c7052cd54bfb5630cf
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.9-9ubuntu1.4_powerpc.deb
Size/MD5: 8628114 04879eedca47927978251e607955b30b
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.9-9ubuntu1.4_sparc.deb
Size/MD5: 8626834 b6f986a944335509cd9c0281f88a88b8
Updated packages for Ubuntu 9.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.12-2ubuntu0.2.diff.gz
Size/MD5: 129415 ee767ed05a51dc926f2402f9c5592cea
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.12-2ubuntu0.2.dsc
Size/MD5: 2078 5fd10464412a48d0875610cd9e0c2a19
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.12.orig.tar.gz
Size/MD5: 8010027 d565a6d2d0ec6d2dd6936a81e1c1ca86
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.12-2ubuntu0.2_amd64.deb
Size/MD5: 9393936 5acbe839045cf9b33948958dd69dbdc8
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.12-2ubuntu0.2_i386.deb
Size/MD5: 9363122 64ffecf8d9adfd4f3ca01b7d9428db49
armel architecture (ARM Architecture):
http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.12-2ubuntu0.2_armel.deb
Size/MD5: 9407048 144a873bb812fc837b10079379639f1c
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.12-2ubuntu0.2_lpia.deb
Size/MD5: 9356806 f53911a575b7f06f60ac158de5224acd
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.12-2ubuntu0.2_powerpc.deb
Size/MD5: 9373174 ef27d5c97911d7e64ed7574dc86c5a6a
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.12-2ubuntu0.2_sparc.deb
Size/MD5: 9372306 67fb68e61b9d698fd9ebc6e74ce6e4cd
Updated packages for Ubuntu 10.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13-1ubuntu0.2.diff.gz
Size/MD5: 134303 2229842594cc9fc00db4f0633316abfc
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13-1ubuntu0.2.dsc
Size/MD5: 2078 c330e0f5c5ca37e2fc3d7dfdaf9da0d2
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13.orig.tar.gz
Size/MD5: 8166504 3235323ccb3e0135c10b7c66a440390b
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13-1ubuntu0.2_amd64.deb
Size/MD5: 9677028 a4793a40c0ffe113a154bae5f7d9cd75
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13-1ubuntu0.2_i386.deb
Size/MD5: 9641550 8ad8a21ee56150ff069d5e5197a1e7c0
armel architecture (ARM Architecture):
http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.13-1ubuntu0.2_armel.deb
Size/MD5: 9619320 517d2559597c601573bdd628a093870d
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.13-1ubuntu0.2_powerpc.deb
Size/MD5: 9651904 d8bc1bf9b54dab78380bb6a073b44328
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.13-1ubuntu0.2_sparc.deb
Size/MD5: 9650100 1433d2eb4465077fbad862ef98ee1860
Updated packages for Ubuntu 10.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13-4ubuntu0.2.debian.tar.gz
Size/MD5: 109828 933f9ecfe7c2672da7b724ac541e2038
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13-4ubuntu0.2.dsc
Size/MD5: 2097 3378c8f3bd8cb0e0b5ca9b8c63557a53
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13.orig.tar.gz
Size/MD5: 8166504 3235323ccb3e0135c10b7c66a440390b
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13-4ubuntu0.2_amd64.deb
Size/MD5: 9648452 b9bc35f67ec1f3db9efa1d2f61760ca8
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13-4ubuntu0.2_i386.deb
Size/MD5: 9645592 108df9f1b5147b5be4745f5657215f0d
armel architecture (ARM Architecture):
http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.13-4ubuntu0.2_armel.deb
Size/MD5: 9635070 6c94be0d85698bcd3d17c4d506402ddd
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.13-4ubuntu0.2_powerpc.deb
Size/MD5: 9653076 75733af85973ae42ae96926cf17ad4d0
Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists