RE: [SECURITY] [DSA 436-1] New mailman packages fix several vulnerabilities
> Package : mailman
> Vulnerability : several
> Problem-Type : remote
> Debian-specific: no
> CVE Ids : CAN-2003-0991 CAN-2003-0965 CAN-2003-0038
> Several vulnerabilities have been fixed in the mailman package:
> - CAN-2003-0038 - [...]
> - CAN-2003-0965 - [...]
> - CAN-2003-0991 - [...]
> The cross-site scripting vulnerabilities could allow an attacker to
> perform administrative operations without authorization, by stealing a
> session cookie.
> For the current stable distribution (woody) these problems have been
> fixed in version 2.0.11-1woody7.
> For the unstable distribution (sid), CAN-2003-0965 is fixed in version
> 2.1.4-1, and CAN-2003-0038 in version 2.1.1-1. CAN-2003-0991 will be
> fixed soon.
As far as I can see from the CAN, CAN-2003-0991 had already been fixed in 2.0.14. Is this really an unfixed security vulnerability in the version that is currently in unstable (2.1.4-1)?