Skip to navigation

Security Advisory Moderate: mailman security update

Advisory: RHSA-2011:0308-1
Type: Security Advisory
Severity: Moderate
Issued on: 2011-03-01
Last updated on: 2011-03-01
Affected Products: Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server EUS (v. 6.0.z)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2010-3089
CVE-2011-0707

Details

An updated mailman package that fixes multiple security issues is now
available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Mailman is a program used to help manage email discussion lists.

Multiple input sanitization flaws were found in the way Mailman displayed
usernames of subscribed users on certain pages. If a user who is subscribed
to a mailing list were able to trick a victim into visiting one of those
pages, they could perform a cross-site scripting (XSS) attack against the
victim. (CVE-2011-0707)

Multiple input sanitization flaws were found in the way Mailman displayed
mailing list information. A mailing list administrator could use this flaw
to conduct a cross-site scripting (XSS) attack against victims viewing a
list's "listinfo" page. (CVE-2010-3089)

Red Hat would like to thank Mark Sapiro for reporting these issues.

Users of mailman should upgrade to this updated package, which contains
backported patches to correct these issues.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Updated packages

Red Hat Enterprise Linux Server (v. 6)

SRPMS:
mailman-2.1.12-14.el6_0.2.src.rpm
File outdated by:  RHBA-2012:1474
    MD5: bd6fea00b707cc4dd6fd2a1fb001dbb5
SHA-256: 82b25e9a5f5789c30fe59f3cb6df6ed74b704c4d54263df88023f618554af652
 
IA-32:
mailman-2.1.12-14.el6_0.2.i686.rpm
File outdated by:  RHBA-2012:1474
    MD5: f5ad82cf6a8e3685323e999848d3d17f
SHA-256: 0ce046a2f05910b59bb530dd4015cd6384fb16f65d84321346874bd60d91b4a3
mailman-debuginfo-2.1.12-14.el6_0.2.i686.rpm
File outdated by:  RHBA-2012:1474
    MD5: 6defef15cb32310fcd6b72d0ce1517f2
SHA-256: 4e149079d30190af6151b50073af800c19ee3fbeee79230b65bb00d57eb86b99
 
PPC:
mailman-2.1.12-14.el6_0.2.ppc64.rpm
File outdated by:  RHBA-2012:1474
    MD5: c5326025d696c4a5e1432987143c56dc
SHA-256: f337829fd9921cf2692bbcf658fc12b2e421b93117f065044ed9770286d6e6a1
mailman-debuginfo-2.1.12-14.el6_0.2.ppc64.rpm
File outdated by:  RHBA-2012:1474
    MD5: 6ccbb3d0c7db52bb2f97968e37fafed1
SHA-256: 92e7b4925aada9ebed6aa8be384ff9f9c75a6ee91fe3c58df7403c897276ef57
 
s390x:
mailman-2.1.12-14.el6_0.2.s390x.rpm
File outdated by:  RHBA-2012:1474
    MD5: 09f9f8ceebc09d3cc4f6f1696970ba7f
SHA-256: 15b410f84c329f2c040b0c535daae037bb349d290f41a4c10f1990ca76cd38e5
mailman-debuginfo-2.1.12-14.el6_0.2.s390x.rpm
File outdated by:  RHBA-2012:1474
    MD5: ad81b362a112ea0532347c86896de1ab
SHA-256: 5bff2ec96c742842928c3944357bad8fd5296490d3542a88b54e6ac1e2bf4a6d
 
x86_64:
mailman-2.1.12-14.el6_0.2.x86_64.rpm
File outdated by:  RHBA-2012:1474
    MD5: 6bd86adff922f15941bcc258d5c165b9
SHA-256: 288add5adcef7a74f3a38597ea57cbdfd42728a8b752994c3c3913999ff022c5
mailman-debuginfo-2.1.12-14.el6_0.2.x86_64.rpm
File outdated by:  RHBA-2012:1474
    MD5: 1d1127f312edd4e308012a790dbdc3d7
SHA-256: ef3a9c061384ce103c6b4e623e0260db45d236e63ea5a4d514f908682d56ae77
 
Red Hat Enterprise Linux Server EUS (v. 6.0.z)

SRPMS:
mailman-2.1.12-14.el6_0.2.src.rpm
File outdated by:  RHBA-2012:1474
    MD5: bd6fea00b707cc4dd6fd2a1fb001dbb5
SHA-256: 82b25e9a5f5789c30fe59f3cb6df6ed74b704c4d54263df88023f618554af652
 
IA-32:
mailman-2.1.12-14.el6_0.2.i686.rpm     MD5: f5ad82cf6a8e3685323e999848d3d17f
SHA-256: 0ce046a2f05910b59bb530dd4015cd6384fb16f65d84321346874bd60d91b4a3
mailman-debuginfo-2.1.12-14.el6_0.2.i686.rpm     MD5: 6defef15cb32310fcd6b72d0ce1517f2
SHA-256: 4e149079d30190af6151b50073af800c19ee3fbeee79230b65bb00d57eb86b99
 
PPC:
mailman-2.1.12-14.el6_0.2.ppc64.rpm     MD5: c5326025d696c4a5e1432987143c56dc
SHA-256: f337829fd9921cf2692bbcf658fc12b2e421b93117f065044ed9770286d6e6a1
mailman-debuginfo-2.1.12-14.el6_0.2.ppc64.rpm     MD5: 6ccbb3d0c7db52bb2f97968e37fafed1
SHA-256: 92e7b4925aada9ebed6aa8be384ff9f9c75a6ee91fe3c58df7403c897276ef57
 
s390x:
mailman-2.1.12-14.el6_0.2.s390x.rpm     MD5: 09f9f8ceebc09d3cc4f6f1696970ba7f
SHA-256: 15b410f84c329f2c040b0c535daae037bb349d290f41a4c10f1990ca76cd38e5
mailman-debuginfo-2.1.12-14.el6_0.2.s390x.rpm     MD5: ad81b362a112ea0532347c86896de1ab
SHA-256: 5bff2ec96c742842928c3944357bad8fd5296490d3542a88b54e6ac1e2bf4a6d
 
x86_64:
mailman-2.1.12-14.el6_0.2.x86_64.rpm     MD5: 6bd86adff922f15941bcc258d5c165b9
SHA-256: 288add5adcef7a74f3a38597ea57cbdfd42728a8b752994c3c3913999ff022c5
mailman-debuginfo-2.1.12-14.el6_0.2.x86_64.rpm     MD5: 1d1127f312edd4e308012a790dbdc3d7
SHA-256: ef3a9c061384ce103c6b4e623e0260db45d236e63ea5a4d514f908682d56ae77
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
mailman-2.1.12-14.el6_0.2.src.rpm
File outdated by:  RHBA-2012:1474
    MD5: bd6fea00b707cc4dd6fd2a1fb001dbb5
SHA-256: 82b25e9a5f5789c30fe59f3cb6df6ed74b704c4d54263df88023f618554af652
 
IA-32:
mailman-2.1.12-14.el6_0.2.i686.rpm
File outdated by:  RHBA-2012:1474
    MD5: f5ad82cf6a8e3685323e999848d3d17f
SHA-256: 0ce046a2f05910b59bb530dd4015cd6384fb16f65d84321346874bd60d91b4a3
mailman-debuginfo-2.1.12-14.el6_0.2.i686.rpm
File outdated by:  RHBA-2012:1474
    MD5: 6defef15cb32310fcd6b72d0ce1517f2
SHA-256: 4e149079d30190af6151b50073af800c19ee3fbeee79230b65bb00d57eb86b99
 
x86_64:
mailman-2.1.12-14.el6_0.2.x86_64.rpm
File outdated by:  RHBA-2012:1474
    MD5: 6bd86adff922f15941bcc258d5c165b9
SHA-256: 288add5adcef7a74f3a38597ea57cbdfd42728a8b752994c3c3913999ff022c5
mailman-debuginfo-2.1.12-14.el6_0.2.x86_64.rpm
File outdated by:  RHBA-2012:1474
    MD5: 1d1127f312edd4e308012a790dbdc3d7
SHA-256: ef3a9c061384ce103c6b4e623e0260db45d236e63ea5a4d514f908682d56ae77
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

631881 - CVE-2010-3089 mailman: Multiple security flaws leading to cross-site scripting (XSS) attacks
677375 - CVE-2011-0707 Mailman: Three XSS flaws due improper escaping of the full name of the member


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/