RE: [SECURITY] [DSA 436-1] New mailman packages fix several vulnerabilities

To: debian-devel@lists.debian.org
Subject: RE: [SECURITY] [DSA 436-1] New mailman packages fix several vulnerabilities
From: "Julian Mehnle" <lists@mehnle.net>
Date: Sun, 22 Feb 2004 15:07:20 +0100
Message-id: <[🔎] EHEOIEJMBFBKCKMPHFJKMEGBFDAA.lists@mehnle.net>
In-reply-to: <20040208224629.GA24474@alcor.net>

Hi all,

> Package        : mailman
> Vulnerability  : several
> Problem-Type   : remote
> Debian-specific: no
> CVE Ids        : CAN-2003-0991 CAN-2003-0965 CAN-2003-0038
> 
> Several vulnerabilities have been fixed in the mailman package:
> 
>  - CAN-2003-0038 - [...]
>  - CAN-2003-0965 - [...]
>  - CAN-2003-0991 - [...]
> 
> The cross-site scripting vulnerabilities could allow an attacker to
> perform administrative operations without authorization, by stealing a
> session cookie. 
> 
> For the current stable distribution (woody) these problems have been
> fixed in version 2.0.11-1woody7.
> 
> For the unstable distribution (sid), CAN-2003-0965 is fixed in version
> 2.1.4-1, and CAN-2003-0038 in version 2.1.1-1.  CAN-2003-0991 will be
> fixed soon. 

As far as I can see from the CAN, CAN-2003-0991 had already been fixed in 2.0.14.  Is this really an unfixed security vulnerability in the version that is currently in unstable (2.1.4-1)?

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 436-1] New mailman packages fix several vulnerabilities
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: Re: udev uploaded to experimental
Next by Date: Re: Debian needs more buildds. It has offers. They aren't being accepted.
Previous by thread: Re: [SECURITY] [DSA 425-1] New tcpdump packages fix multiple vulnerabilities
Next by thread: Re: [SECURITY] [DSA 436-1] New mailman packages fix several vulnerabilities
Index(es):
- Date
- Thread