[CVE-2008-0564] Multiple cross-site scripting (XSS) vulnerabilities in Mailman

Bug #199338 reported by Emanuele Gentili
258
Affects Status Importance Assigned to Milestone
mailman (Gentoo Linux)
Fix Released
Low
mailman (Ubuntu)
Fix Released
Low
Emanuele Gentili
Dapper
Fix Released
Low
Emanuele Gentili
Edgy
Fix Released
Low
Emanuele Gentili
Feisty
Fix Released
Low
Emanuele Gentili
Gutsy
Fix Released
Low
Emanuele Gentili

Bug Description

Multiple cross-site scripting (XSS) vulnerabilities in Mailman before 2.1.10b1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to (1) editing templates and (2) the list's "info attribute" in the web administrator interface, a different vulnerability than CVE-2006-3636.

[1] http://mail.python.org/pipermail/mailman-announce/2008-February/000095.html
[2] http://mail.python.org/pipermail/mailman-announce/2008-February/000096.html

Revision history for this message
Emanuele Gentili (emgent) wrote :
Changed in mailman:
assignee: nobody → emgent
importance: Undecided → Low
status: New → In Progress
Revision history for this message
Emanuele Gentili (emgent) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mailman - 1:2.1.9-9ubuntu1

---------------
mailman (1:2.1.9-9ubuntu1) hardy; urgency=low

  * debian/control:
   + updated maintainer field
  * SECURITY UPDATE:
   + debian/patches/100_CVE-2008-0564.dpatch (LP: #199338)
    - Multiple cross-site scripting (XSS) vulnerabilities in Mailman
      before 2.1.10b1 allow remote attackers to inject arbitrary web
      script or HTML via unspecified vectors related to (1) editing
      templates and (2) the list's "info attribute" in the web
      administrator interface.
  * References
   + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0564
   + http://bugs.gentoo.org/show_bug.cgi?id=208710

 -- Emanuele Gentili <email address hidden> Fri, 07 Mar 2008 02:55:22 +0100

Changed in mailman:
status: In Progress → Fix Released
Revision history for this message
Emanuele Gentili (emgent) wrote :
Revision history for this message
Emanuele Gentili (emgent) wrote :
Revision history for this message
Emanuele Gentili (emgent) wrote :
Changed in mailman:
assignee: nobody → emgent
importance: Undecided → Low
status: New → In Progress
assignee: nobody → emgent
importance: Undecided → Low
status: New → In Progress
assignee: nobody → emgent
importance: Undecided → Low
status: New → In Progress
assignee: nobody → emgent
importance: Undecided → Low
status: New → In Progress
Changed in mailman:
status: Unknown → Fix Released
Revision history for this message
Kees Cook (kees) wrote :

Dapper and Edgy patches cannot include maintainer field updates.

Changed in mailman:
status: In Progress → Incomplete
status: In Progress → Incomplete
Revision history for this message
Kees Cook (kees) wrote :

Feisty and Gutsy uploaded, thanks! They should be published shortly.

Changed in mailman:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
Revision history for this message
Emanuele Gentili (emgent) wrote :

I dont understand problem about Dapper and Edgy, i was update maintainer field out the patch system, where is the problem?

Cheers,

Emanuele

Revision history for this message
Emanuele Gentili (emgent) wrote :

Thanks, please use this for upload.

Revision history for this message
Emanuele Gentili (emgent) wrote :

Thanks, please use this for upload in edgy.

Changed in mailman:
status: Incomplete → In Progress
status: Incomplete → In Progress
Revision history for this message
Kees Cook (kees) wrote :

Thanks! Dapper/Edgy uploaded.

Changed in mailman:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mailman - 1:2.1.9-8ubuntu0.1

---------------
mailman (1:2.1.9-8ubuntu0.1) gutsy-security; urgency=low

  * debian/control:
   + updated maintainer field
  * SECURITY UPDATE:
   + debian/patches/100_CVE-2008-0564.dpatch (LP: #199338)
    - Multiple cross-site scripting (XSS) vulnerabilities in Mailman before 2.1.10b1 allow
      remote attackers to inject arbitrary web script or HTML via unspecified vectors related
      to (1) editing templates and (2) the list's "info attribute" in the web administrator interface.
  * References
   + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0564
   + http://bugs.gentoo.org/show_bug.cgi?id=208710

 -- Emanuele Gentili <email address hidden> Fri, 07 Mar 2008 03:52:46 +0100

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mailman - 1:2.1.9-4ubuntu1.1

---------------
mailman (1:2.1.9-4ubuntu1.1) feisty-security; urgency=low

  * debian/control:
   + updated maintainer field
  * SECURITY UPDATE:
   + debian/patches/100_CVE-2008-0564.dpatch (LP: #199338)
    - Multiple cross-site scripting (XSS) vulnerabilities in Mailman
      before 2.1.10b1 allow remote attackers to inject arbitrary web
      script or HTML via unspecified vectors related to (1) editing
      templates and (2) the list's "info attribute" in the web
      administrator interface.
  * References
   + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0564
   + http://bugs.gentoo.org/show_bug.cgi?id=208710

 -- Emanuele Gentili <email address hidden> Fri, 07 Mar 2008 05:38:51 +0100

Changed in mailman:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Changed in mailman:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Changed in mailman (Gentoo Linux):
importance: Unknown → Low
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.