RHSA-2006:0600-01 Moderate: mailman security update
Posted on: 09/08/2006 09:40 AM

A new update is available for Red Hat Enterprise Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
Red Hat Security Advisory

Synopsis: Moderate: mailman security update
Advisory ID: RHSA-2006:0600-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2006-0600.html
Issue date: 2006-09-06
Updated on: 2006-09-06
Product: Red Hat Enterprise Linux
CVE Names: CVE-2006-2941 CVE-2006-3636
- ---------------------------------------------------------------------

1. Summary:

Updated mailman packages that fix security issues are now available for Red
Hat Enterprise Linux 3 and 4.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Problem description:

Mailman is a program used to help manage email discussion lists.

A flaw was found in the way Mailman handled MIME multipart messages. An
attacker could send a carefully crafted MIME multipart email message to a
mailing list run by Mailman which caused that particular mailing list
to stop working. (CVE-2006-2941)

Several cross-site scripting (XSS) issues were found in Mailman. An
attacker could exploit these issues to perform cross-site scripting attacks
against the Mailman administrator. (CVE-2006-3636)

Red Hat would like to thank Barry Warsaw for disclosing these vulnerabilities.

Users of Mailman should upgrade to these updated packages, which contain
backported patches to correct this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/):

198344 - CVE-2006-2941 Mailman DoS
203704 - CVE-2006-3636 Mailman XSS issues

6. RPMs required:

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/mailman-2.1.5.1-25.rhel3.7.src.rpm
aadc1f8f782b3bb77723aaf58f3075dd mailman-2.1.5.1-25.rhel3.7.src.rpm

i386:
06ad7a3f4da347456466fa4f5e2fa7c3 mailman-2.1.5.1-25.rhel3.7.i386.rpm
c11347caf70b2d35f6ee3e5ad85a1e2a mailman-debuginfo-2.1.5.1-25.rhel3.7.i386.rpm

ia64:
930f1caafb3f9a52df581ec287688b77 mailman-2.1.5.1-25.rhel3.7.ia64.rpm
506a05ea921cc2db4a6bd780fe675984 mailman-debuginfo-2.1.5.1-25.rhel3.7.ia64.rpm

ppc:
3b25506baa71db64e4b5f46891995348 mailman-2.1.5.1-25.rhel3.7.ppc.rpm
7b88f8c12c8b1a8dc847bfb847cbd6be mailman-debuginfo-2.1.5.1-25.rhel3.7.ppc.rpm

s390:
10d5202c49895d7cd7735fd26a631a18 mailman-2.1.5.1-25.rhel3.7.s390.rpm
644052a0ec97d49a7e6f304dcd8d3103 mailman-debuginfo-2.1.5.1-25.rhel3.7.s390.rpm

s390x:
c5db1d523b4ab0107c073d08da7fa067 mailman-2.1.5.1-25.rhel3.7.s390x.rpm
99eb2c04ffa8bbc4d5cc39e580a91036 mailman-debuginfo-2.1.5.1-25.rhel3.7.s390x.rpm

x86_64:
13322c51c7935facde94c51751d9cfed mailman-2.1.5.1-25.rhel3.7.x86_64.rpm
e558b981f58e456777900935c586acc5 mailman-debuginfo-2.1.5.1-25.rhel3.7.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/mailman-2.1.5.1-25.rhel3.7.src.rpm
aadc1f8f782b3bb77723aaf58f3075dd mailman-2.1.5.1-25.rhel3.7.src.rpm

i386:
06ad7a3f4da347456466fa4f5e2fa7c3 mailman-2.1.5.1-25.rhel3.7.i386.rpm
c11347caf70b2d35f6ee3e5ad85a1e2a mailman-debuginfo-2.1.5.1-25.rhel3.7.i386.rpm

x86_64:
13322c51c7935facde94c51751d9cfed mailman-2.1.5.1-25.rhel3.7.x86_64.rpm
e558b981f58e456777900935c586acc5 mailman-debuginfo-2.1.5.1-25.rhel3.7.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/mailman-2.1.5.1-25.rhel3.7.src.rpm
aadc1f8f782b3bb77723aaf58f3075dd mailman-2.1.5.1-25.rhel3.7.src.rpm

i386:
06ad7a3f4da347456466fa4f5e2fa7c3 mailman-2.1.5.1-25.rhel3.7.i386.rpm
c11347caf70b2d35f6ee3e5ad85a1e2a mailman-debuginfo-2.1.5.1-25.rhel3.7.i386.rpm

ia64:
930f1caafb3f9a52df581ec287688b77 mailman-2.1.5.1-25.rhel3.7.ia64.rpm
506a05ea921cc2db4a6bd780fe675984 mailman-debuginfo-2.1.5.1-25.rhel3.7.ia64.rpm

x86_64:
13322c51c7935facde94c51751d9cfed mailman-2.1.5.1-25.rhel3.7.x86_64.rpm
e558b981f58e456777900935c586acc5 mailman-debuginfo-2.1.5.1-25.rhel3.7.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/mailman-2.1.5.1-25.rhel3.7.src.rpm
aadc1f8f782b3bb77723aaf58f3075dd mailman-2.1.5.1-25.rhel3.7.src.rpm

i386:
06ad7a3f4da347456466fa4f5e2fa7c3 mailman-2.1.5.1-25.rhel3.7.i386.rpm
c11347caf70b2d35f6ee3e5ad85a1e2a mailman-debuginfo-2.1.5.1-25.rhel3.7.i386.rpm

ia64:
930f1caafb3f9a52df581ec287688b77 mailman-2.1.5.1-25.rhel3.7.ia64.rpm
506a05ea921cc2db4a6bd780fe675984 mailman-debuginfo-2.1.5.1-25.rhel3.7.ia64.rpm

x86_64:
13322c51c7935facde94c51751d9cfed mailman-2.1.5.1-25.rhel3.7.x86_64.rpm
e558b981f58e456777900935c586acc5 mailman-debuginfo-2.1.5.1-25.rhel3.7.x86_64.rpm

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/mailman-2.1.5.1-34.rhel4.5.src.rpm
c93f0d4ba430ee583e22565d46ad4ca7 mailman-2.1.5.1-34.rhel4.5.src.rpm

i386:
9ab4155e1c5510abf085c9af828f57eb mailman-2.1.5.1-34.rhel4.5.i386.rpm
269153aac17ce9e233f78b3ffe8e2aef mailman-debuginfo-2.1.5.1-34.rhel4.5.i386.rpm

ia64:
a42338d32e130205035d1ffe852fa2d1 mailman-2.1.5.1-34.rhel4.5.ia64.rpm
b32a43800a955c99aaaa63ba45cf723d mailman-debuginfo-2.1.5.1-34.rhel4.5.ia64.rpm

ppc:
44ad39bb47c903413d8b6ffd930263dd mailman-2.1.5.1-34.rhel4.5.ppc.rpm
4f2378bf60f794714437f5ae230dba35 mailman-debuginfo-2.1.5.1-34.rhel4.5.ppc.rpm

s390:
338423bc0323023b04f177447ba01fb7 mailman-2.1.5.1-34.rhel4.5.s390.rpm
733544b11b96726a0bade226ddd66abe mailman-debuginfo-2.1.5.1-34.rhel4.5.s390.rpm

s390x:
e2f64e5975246be9b939d0a6e878fa61 mailman-2.1.5.1-34.rhel4.5.s390x.rpm
aaa1f9d30a557cd0a05e17795372e7ce mailman-debuginfo-2.1.5.1-34.rhel4.5.s390x.rpm

x86_64:
92921797e6bdab3c60f739a386e47d0b mailman-2.1.5.1-34.rhel4.5.x86_64.rpm
eff45cff79d327333feac959ebf3e9a4 mailman-debuginfo-2.1.5.1-34.rhel4.5.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/mailman-2.1.5.1-34.rhel4.5.src.rpm
c93f0d4ba430ee583e22565d46ad4ca7 mailman-2.1.5.1-34.rhel4.5.src.rpm

i386:
9ab4155e1c5510abf085c9af828f57eb mailman-2.1.5.1-34.rhel4.5.i386.rpm
269153aac17ce9e233f78b3ffe8e2aef mailman-debuginfo-2.1.5.1-34.rhel4.5.i386.rpm

x86_64:
92921797e6bdab3c60f739a386e47d0b mailman-2.1.5.1-34.rhel4.5.x86_64.rpm
eff45cff79d327333feac959ebf3e9a4 mailman-debuginfo-2.1.5.1-34.rhel4.5.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/mailman-2.1.5.1-34.rhel4.5.src.rpm
c93f0d4ba430ee583e22565d46ad4ca7 mailman-2.1.5.1-34.rhel4.5.src.rpm

i386:
9ab4155e1c5510abf085c9af828f57eb mailman-2.1.5.1-34.rhel4.5.i386.rpm
269153aac17ce9e233f78b3ffe8e2aef mailman-debuginfo-2.1.5.1-34.rhel4.5.i386.rpm

ia64:
a42338d32e130205035d1ffe852fa2d1 mailman-2.1.5.1-34.rhel4.5.ia64.rpm
b32a43800a955c99aaaa63ba45cf723d mailman-debuginfo-2.1.5.1-34.rhel4.5.ia64.rpm

x86_64:
92921797e6bdab3c60f739a386e47d0b mailman-2.1.5.1-34.rhel4.5.x86_64.rpm
eff45cff79d327333feac959ebf3e9a4 mailman-debuginfo-2.1.5.1-34.rhel4.5.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/mailman-2.1.5.1-34.rhel4.5.src.rpm
c93f0d4ba430ee583e22565d46ad4ca7 mailman-2.1.5.1-34.rhel4.5.src.rpm

i386:
9ab4155e1c5510abf085c9af828f57eb mailman-2.1.5.1-34.rhel4.5.i386.rpm
269153aac17ce9e233f78b3ffe8e2aef mailman-debuginfo-2.1.5.1-34.rhel4.5.i386.rpm

ia64:
a42338d32e130205035d1ffe852fa2d1 mailman-2.1.5.1-34.rhel4.5.ia64.rpm
b32a43800a955c99aaaa63ba45cf723d mailman-debuginfo-2.1.5.1-34.rhel4.5.ia64.rpm

x86_64:
92921797e6bdab3c60f739a386e47d0b mailman-2.1.5.1-34.rhel4.5.x86_64.rpm
eff45cff79d327333feac959ebf3e9a4 mailman-debuginfo-2.1.5.1-34.rhel4.5.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2941
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3636
http://www.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is lt;secalert@redhat.comgt;. More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2006 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFE/zKzXlSAg2UNWIIRAqEyAJ9Ro5wLPn6TUU7bVonW1v9+6DYBFQCfWTDe
oiue7/oP/26AR6AN4NsplC0=
=2jQJ
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/rhsa_20060600_01_moderate_mailman_security_update.html)