Re: mailman 2.1.5-8sarge3: screwup between security and maintainer upload
Lionel Elie Mamane wrote:
> let a be an architecture in sarge. Then one of the following holds for
> mailman in sarge r3:
> - it is affected by a security problem.
> - it has a severity critical bug.
> Mailman in sid:
> - may or may not suffer of a security problem
> A security problem in Mailman in sarge patched in May has _not_ been
> issued a DSA.
Oh. Which security problem are you talking about?
> There seems to have been a screw-up in handling of mailman security
> and stable updates: There are two different mailman packages in Debian
> with version number 2.1.5-8sarge3.
Ugh? How did that happen?
Where is the second one? I only see 2.1.5-8sarge3 in stable but only
2.1.5-8sarge2 in the security archive.
> History, in chronological order:
> -8sarge2 security update to fix:
> potential DoS attack with malformed multi-part messages (closes: #358892) [CVE-2006-0052]
> -8sarge3 maintainer update (that got frozen waiting for -8sarge2 to
> happen in order not to conflict with it) to fix bug #358575, a
> severity critical bug.
> Uploaded to stable-proposed-updates in the night from 11 to 12
> April 2006, where it created problems because -8sarge1 was to be
> going in sarge r2, and having -8sarge3 appear confused
> everything. Stable update team says something along the lines of
> "will consider for sarge r3".
Apparently it has been installed in the archive.
> -8sarge3 security update to fix:
> formt string vulnerability [src/common.c, debian/patches/72_CVE-2006-2191.dpatch]
> That security update has not been announced by a DSA, and cannot be
> downloaded from
> http://security.debian.org/pool/updates/main/m/mailman/ .
> I don't have access to the source of this package. It was apparently
> prepared by Martin "Joey" Schulze on 13 May 2006.
Umh? But where is it? I don't have it either. I have recorded the
patch to fix this vulnerability, though. It's attached.
> As a maintainer of Mailman, I have no recollection of being notified
> of CVE-2006-2191 (it is possible I have missed the notification, but
> my email archives do not contain anything relevant with subject
> "mailman" and 2191 in the body); the CVE entry at mitre.org contains
> no information. I have no idea whether this security problem affects
> the version in sid or not, I have no precise information _what_ this
> security problem is.
I found a trace. Apparently this problem has been considered not
exploitable later, and hence the issue was disregarded. The
researcher was Karl Chen. He suggested to file a normal bug then. If
that has happened, you should have (had) it in your bug list.
> The situation right now:
> - sarge r3 contains mailman 2.1.5-8sarge3, but some architectures
> have the security update (such as i386) and others have the
> maintainer update (such as source, sparc and alpha).
> Thus all architectures are screwed up in one way or the other.
This is an interesting screwup...
> So, please, security team, tell us about CVE-2006-2191. If
> appropriate, issue a DSA about it, for a package under version number
> -8sarge4, built on top of -8sarge3 the maintainer update. Please give
> us (the mailman-in-Debian maintainers) the information needed to fix
> CVE-2006-2191 in sid, or make a retroactive note in the changelog to
> note when it was fixed by a new upstream version.
I'll forward you the mails wrt this issue.
Guess we didn't contact you earlier because it became a non-issue.
> Stable release team, please react accordingly; you may for example do
> a binary sourceless NMU for the architectures that have -8sarge3 the
> security update so that they all have -8sarge3 the maintainer update.
Imho, it's more useful to upload 2.1.5-8sarge4 and only bump the
version number to get the new version built for all architectures into
Linux - the choice of a GNU generation.
Please always Cc to me when replying to me on the lists.