Security Advisory mailman security update

Advisory: RHSA-2006:0600-11
Type: Security Advisory
Severity: Moderate
Issued on: 2006-09-06
Last updated on: 2006-09-06
Affected Products: Red Hat Desktop (v. 3)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 3)
Red Hat Enterprise Linux WS (v. 4)
OVAL: N/A
CVEs (cve.mitre.org): CVE-2006-2941
CVE-2006-3636

Details

Updated mailman packages that fix security issues are now available for Red
Hat Enterprise Linux 3 and 4.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Mailman is a program used to help manage email discussion lists.

A flaw was found in the way Mailman handled MIME multipart messages. An
attacker could send a carefully crafted MIME multipart email message to a
mailing list run by Mailman which caused that particular mailing list
to stop working. (CVE-2006-2941)

Several cross-site scripting (XSS) issues were found in Mailman. An
attacker could exploit these issues to perform cross-site scripting attacks
against the Mailman administrator. (CVE-2006-3636)

Red Hat would like to thank Barry Warsaw for disclosing these vulnerabilities.

Users of Mailman should upgrade to these updated packages, which contain
backported patches to correct this issue.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Desktop (v. 3)
SRPMS:
mailman-2.1.5.1-25.rhel3.7.src.rpm
File outdated by:  RHBA-2007:0464		     aadc1f8f782b3bb77723aaf58f3075dd
 
IA-32:
mailman-2.1.5.1-25.rhel3.7.i386.rpm
File outdated by:  RHBA-2007:0464		     06ad7a3f4da347456466fa4f5e2fa7c3
 
x86_64:
mailman-2.1.5.1-25.rhel3.7.x86_64.rpm
File outdated by:  RHBA-2007:0464		     13322c51c7935facde94c51751d9cfed
 
Red Hat Desktop (v. 4)
SRPMS:
mailman-2.1.5.1-34.rhel4.5.src.rpm
File outdated by:  RHSA-2007:0779		     c93f0d4ba430ee583e22565d46ad4ca7
 
IA-32:
mailman-2.1.5.1-34.rhel4.5.i386.rpm
File outdated by:  RHSA-2007:0779		     9ab4155e1c5510abf085c9af828f57eb
 
x86_64:
mailman-2.1.5.1-34.rhel4.5.x86_64.rpm
File outdated by:  RHSA-2007:0779		     92921797e6bdab3c60f739a386e47d0b
 
Red Hat Enterprise Linux AS (v. 3)
SRPMS:
mailman-2.1.5.1-25.rhel3.7.src.rpm
File outdated by:  RHBA-2007:0464		     aadc1f8f782b3bb77723aaf58f3075dd
 
IA-32:
mailman-2.1.5.1-25.rhel3.7.i386.rpm
File outdated by:  RHBA-2007:0464		     06ad7a3f4da347456466fa4f5e2fa7c3
 
IA-64:
mailman-2.1.5.1-25.rhel3.7.ia64.rpm
File outdated by:  RHBA-2007:0464		     930f1caafb3f9a52df581ec287688b77
 
PPC:
mailman-2.1.5.1-25.rhel3.7.ppc.rpm
File outdated by:  RHBA-2007:0464		     3b25506baa71db64e4b5f46891995348
 
s390:
mailman-2.1.5.1-25.rhel3.7.s390.rpm
File outdated by:  RHBA-2007:0464		     10d5202c49895d7cd7735fd26a631a18
 
s390x:
mailman-2.1.5.1-25.rhel3.7.s390x.rpm
File outdated by:  RHBA-2007:0464		     c5db1d523b4ab0107c073d08da7fa067
 
x86_64:
mailman-2.1.5.1-25.rhel3.7.x86_64.rpm
File outdated by:  RHBA-2007:0464		     13322c51c7935facde94c51751d9cfed
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
mailman-2.1.5.1-34.rhel4.5.src.rpm
File outdated by:  RHSA-2007:0779		     c93f0d4ba430ee583e22565d46ad4ca7
 
IA-32:
mailman-2.1.5.1-34.rhel4.5.i386.rpm
File outdated by:  RHSA-2007:0779		     9ab4155e1c5510abf085c9af828f57eb
 
IA-64:
mailman-2.1.5.1-34.rhel4.5.ia64.rpm
File outdated by:  RHSA-2007:0779		     a42338d32e130205035d1ffe852fa2d1
 
PPC:
mailman-2.1.5.1-34.rhel4.5.ppc.rpm
File outdated by:  RHSA-2007:0779		     44ad39bb47c903413d8b6ffd930263dd
 
s390:
mailman-2.1.5.1-34.rhel4.5.s390.rpm
File outdated by:  RHSA-2007:0779		     338423bc0323023b04f177447ba01fb7
 
s390x:
mailman-2.1.5.1-34.rhel4.5.s390x.rpm
File outdated by:  RHSA-2007:0779		     e2f64e5975246be9b939d0a6e878fa61
 
x86_64:
mailman-2.1.5.1-34.rhel4.5.x86_64.rpm
File outdated by:  RHSA-2007:0779		     92921797e6bdab3c60f739a386e47d0b
 
Red Hat Enterprise Linux ES (v. 3)
SRPMS:
mailman-2.1.5.1-25.rhel3.7.src.rpm
File outdated by:  RHBA-2007:0464		     aadc1f8f782b3bb77723aaf58f3075dd
 
IA-32:
mailman-2.1.5.1-25.rhel3.7.i386.rpm
File outdated by:  RHBA-2007:0464		     06ad7a3f4da347456466fa4f5e2fa7c3
 
IA-64:
mailman-2.1.5.1-25.rhel3.7.ia64.rpm
File outdated by:  RHBA-2007:0464		     930f1caafb3f9a52df581ec287688b77
 
x86_64:
mailman-2.1.5.1-25.rhel3.7.x86_64.rpm
File outdated by:  RHBA-2007:0464		     13322c51c7935facde94c51751d9cfed
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
mailman-2.1.5.1-34.rhel4.5.src.rpm
File outdated by:  RHSA-2007:0779		     c93f0d4ba430ee583e22565d46ad4ca7
 
IA-32:
mailman-2.1.5.1-34.rhel4.5.i386.rpm
File outdated by:  RHSA-2007:0779		     9ab4155e1c5510abf085c9af828f57eb
 
IA-64:
mailman-2.1.5.1-34.rhel4.5.ia64.rpm
File outdated by:  RHSA-2007:0779		     a42338d32e130205035d1ffe852fa2d1
 
x86_64:
mailman-2.1.5.1-34.rhel4.5.x86_64.rpm
File outdated by:  RHSA-2007:0779		     92921797e6bdab3c60f739a386e47d0b
 
Red Hat Enterprise Linux WS (v. 3)
SRPMS:
mailman-2.1.5.1-25.rhel3.7.src.rpm
File outdated by:  RHBA-2007:0464		     aadc1f8f782b3bb77723aaf58f3075dd
 
IA-32:
mailman-2.1.5.1-25.rhel3.7.i386.rpm
File outdated by:  RHBA-2007:0464		     06ad7a3f4da347456466fa4f5e2fa7c3
 
IA-64:
mailman-2.1.5.1-25.rhel3.7.ia64.rpm
File outdated by:  RHBA-2007:0464		     930f1caafb3f9a52df581ec287688b77
 
x86_64:
mailman-2.1.5.1-25.rhel3.7.x86_64.rpm
File outdated by:  RHBA-2007:0464		     13322c51c7935facde94c51751d9cfed
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
mailman-2.1.5.1-34.rhel4.5.src.rpm
File outdated by:  RHSA-2007:0779		     c93f0d4ba430ee583e22565d46ad4ca7
 
IA-32:
mailman-2.1.5.1-34.rhel4.5.i386.rpm
File outdated by:  RHSA-2007:0779		     9ab4155e1c5510abf085c9af828f57eb
 
IA-64:
mailman-2.1.5.1-34.rhel4.5.ia64.rpm
File outdated by:  RHSA-2007:0779		     a42338d32e130205035d1ffe852fa2d1
 
x86_64:
mailman-2.1.5.1-34.rhel4.5.x86_64.rpm
File outdated by:  RHSA-2007:0779		     92921797e6bdab3c60f739a386e47d0b
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

198344 - CVE-2006-2941 Mailman DoS
203704 - CVE-2006-3636 Mailman XSS issues


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2941
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3636
http://www.redhat.com/security/updates/classification/#moderate

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/