Re: [SECURITY] [DSA 436-1] New mailman packages fix several vulnerabilities
On Sun, Feb 22, 2004 at 03:07:20PM +0100, Julian Mehnle wrote:
> > Package : mailman
> > Vulnerability : several
> > Problem-Type : remote
> > Debian-specific: no
> > CVE Ids : CAN-2003-0991 CAN-2003-0965 CAN-2003-0038
> > Several vulnerabilities have been fixed in the mailman package:
> > - CAN-2003-0038 - [...]
> > - CAN-2003-0965 - [...]
> > - CAN-2003-0991 - [...]
> > The cross-site scripting vulnerabilities could allow an attacker to
> > perform administrative operations without authorization, by stealing a
> > session cookie.
> > For the current stable distribution (woody) these problems have been
> > fixed in version 2.0.11-1woody7.
> > For the unstable distribution (sid), CAN-2003-0965 is fixed in version
> > 2.1.4-1, and CAN-2003-0038 in version 2.1.1-1. CAN-2003-0991 will be
> > fixed soon.
> As far as I can see from the CAN, CAN-2003-0991 had already been fixed in
> 2.0.14. Is this really an unfixed security vulnerability in the version
> that is currently in unstable (2.1.4-1)?
mailman 2.0.14 (2004-02) postdates mailman 2.1.4 (2003-12).