Ubuntu: mailman vulnerability

    Date15 Mar 2008
    CategoryUbuntu
    2310
    Posted ByLinuxSecurity Advisories
    Multiple cross-site scripting flaws were discovered in mailman. A malicious list administrator could exploit this to execute arbitrary JavaScript, potentially stealing user credentials.
    =========================================================== 
    Ubuntu Security Notice USN-586-1             March 15, 2008
    mailman vulnerability
    CVE-2008-0564
    ===========================================================
    
    A security issue affects the following Ubuntu releases:
    
    Ubuntu 6.06 LTS
    Ubuntu 6.10
    Ubuntu 7.04
    Ubuntu 7.10
    
    This advisory also applies to the corresponding versions of
    Kubuntu, Edubuntu, and Xubuntu.
    
    The problem can be corrected by upgrading your system to the
    following package versions:
    
    Ubuntu 6.06 LTS:
      mailman                         2.1.5-9ubuntu4.2
    
    Ubuntu 6.10:
      mailman                         1:2.1.8-2ubuntu2.1
    
    Ubuntu 7.04:
      mailman                         1:2.1.9-4ubuntu1.2
    
    Ubuntu 7.10:
      mailman                         1:2.1.9-8ubuntu0.2
    
    In general, a standard system upgrade is sufficient to effect the
    necessary changes.
    
    NOTE: Due to an internal release testing mistake, earlier
    published mailman versions 1:2.1.9-4ubuntu1.1 (for Ubuntu
    7.04) and 1:2.1.9-8ubuntu0.1 (for Ubuntu 7.10) accidentally
    included an incorrect patch and caused a regression, as reported in
    https://launchpad.net/bugs/202332
    
    This update includes fixes for the problem.  We apologize for the
    inconvenience.
    
    Details follow:
    
    Multiple cross-site scripting flaws were discovered in mailman.
    A malicious list administrator could exploit this to execute arbitrary
    JavaScript, potentially stealing user credentials.
    
    
    Updated packages for Ubuntu 6.06 LTS:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2.diff.gz
          Size/MD5:   231090 d3e7124adf9454e2754e41c98df1a79c
        http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2.dsc
          Size/MD5:      626 0ac6344f31b1fd756ff3c724a059c907
        http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5.orig.tar.gz
          Size/MD5:  5745912 f5f56f04747cd4aff67427e7a45631af
    
      amd64 architecture (Athlon64, Opteron, EM64T Xeon):
    
        http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2_amd64.deb
          Size/MD5:  6613254 72d9727b248c5e8ac1ffe6699989b546
    
      i386 architecture (x86 compatible Intel/AMD):
    
        http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2_i386.deb
          Size/MD5:  6612872 6fa80a2c5f9fb4ef86fc37f5948eb7ea
    
      powerpc architecture (Apple Macintosh G3/G4/G5):
    
        http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2_powerpc.deb
          Size/MD5:  6621726 45ad75a62c903f80ccaed21d8bff8e0f
    
      sparc architecture (Sun SPARC/UltraSPARC):
    
        http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2_sparc.deb
          Size/MD5:  6620818 7dc3bc18e981e78fa7d9e18bda151ecc
    
    Updated packages for Ubuntu 6.10:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1.diff.gz
          Size/MD5:   203009 ee4a019ea676c82f040bad51a13f2a04
        http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1.dsc
          Size/MD5:      819 53355a3ca08c288d785123da51dbb10e
        http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8.orig.tar.gz
          Size/MD5:  6856039 b9308ea3ffe8dd447458338408d46bd6
    
      amd64 architecture (Athlon64, Opteron, EM64T Xeon):
    
        http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1_amd64.deb
          Size/MD5:  8017888 34628b56f38515676c840c10f2aa100d
    
      i386 architecture (x86 compatible Intel/AMD):
    
        http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1_i386.deb
          Size/MD5:  8016276 18b60f0774f2f664d5505391834ed0c6
    
      powerpc architecture (Apple Macintosh G3/G4/G5):
    
        http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1_powerpc.deb
          Size/MD5:  8025122 20b2783ab25dd270751211463fdedc77
    
      sparc architecture (Sun SPARC/UltraSPARC):
    
        http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1_sparc.deb
          Size/MD5:  8023672 02dd507266718e196abef08311a995b5
    
    Updated packages for Ubuntu 7.04:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ubuntu1.2.diff.gz
          Size/MD5:   142531 2e32aeebcbf3d45e498d4241bf1cf0c8
        http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ubuntu1.2.dsc
          Size/MD5:      981 0c8c78087bcf0213f17013c94fea9764
        http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9.orig.tar.gz
          Size/MD5:  7829201 dd51472470f9eafb04f64da372444835
    
      amd64 architecture (Athlon64, Opteron, EM64T Xeon):
    
        http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ubuntu1.2_amd64.deb
          Size/MD5:  8606862 74502c6c9e9a8bb277c6f741abd46541
    
      i386 architecture (x86 compatible Intel/AMD):
    
        http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ubuntu1.2_i386.deb
          Size/MD5:  8605384 46330ecad45d07957ac827e5f8e944e2
    
      powerpc architecture (Apple Macintosh G3/G4/G5):
    
        http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ubuntu1.2_powerpc.deb
          Size/MD5:  8617812 08c3457654498fb0e944c6900c1111fa
    
      sparc architecture (Sun SPARC/UltraSPARC):
    
        http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ubuntu1.2_sparc.deb
          Size/MD5:  8616850 d847a99c6173ffa101f5986cfd9ce9cf
    
    Updated packages for Ubuntu 7.10:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-8ubuntu0.2.diff.gz
          Size/MD5:   151248 242099c74ff77d643fab04b0aeffee33
        http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-8ubuntu0.2.dsc
          Size/MD5:     1032 97fd7fe28a0f1d32b95c3afd9cf1946a
        http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9.orig.tar.gz
          Size/MD5:  7829201 dd51472470f9eafb04f64da372444835
    
      amd64 architecture (Athlon64, Opteron, EM64T Xeon):
    
        http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-8ubuntu0.2_amd64.deb
          Size/MD5:  8613496 982f4c248795c6555bdb62a0747a429d
    
      i386 architecture (x86 compatible Intel/AMD):
    
        http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-8ubuntu0.2_i386.deb
          Size/MD5:  8611448 94ad8c328a6367196dffcd38f3a56d17
    
      powerpc architecture (Apple Macintosh G3/G4/G5):
    
        http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-8ubuntu0.2_powerpc.deb
          Size/MD5:  8627854 a0b4e25a6c5892b77845f192e8d0ae70
    
      sparc architecture (Sun SPARC/UltraSPARC):
    
        http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-8ubuntu0.2_sparc.deb
          Size/MD5:  8626282 2f318a3fc2a9bd1e50e4df96e15bdad1
    
    
    --yrj/dFKFPuw6o+aM
    Content-Type: application/pgp-signature; name="signature.asc"
    Content-Description: Digital signature
    Content-Disposition: inline
    
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)
    
    iD8DBQFH3BBoH/9LqRcGPm0RAqKSAJ0X0p8GEzM9v58JUzDkU0dkMwP70wCfdfC6
    g0JyO66Epv3zlEwUTHuAIfY=R+IT
    -----END PGP SIGNATURE-----
    
    --yrj/dFKFPuw6o+aM--
    
    
    --==============X21542433858032832=Content-Type: text/plain; charset="us-ascii"
    MIME-Version: 1.0
    Content-Transfer-Encoding: 7bit
    Content-Disposition: inline
    
    --
    ubuntu-security-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
    
    --==============X21542433858032832==--
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"23","type":"x","order":"1","pct":56.1,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":12.2,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"13","type":"x","order":"3","pct":31.71,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    Advisories

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.