[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: mailman 2.1.5-8sarge3: screwup between security and maintainer upload

Lionel Elie Mamane wrote:
> let a be an architecture in sarge. Then one of the following holds for
> mailman in sarge r3:
>  - it is affected by a security problem.
>  - it has a severity critical bug.
> Mailman in sid:
>  - may or may not suffer of a security problem
> A security problem in Mailman in sarge patched in May has _not_ been
> issued a DSA.

Oh.  Which security problem are you talking about?

> There seems to have been a screw-up in handling of mailman security
> and stable updates: There are two different mailman packages in Debian
> with version number 2.1.5-8sarge3.

Ugh?  How did that happen?

Where is the second one?  I only see 2.1.5-8sarge3 in stable but only
2.1.5-8sarge2 in the security archive.

> History, in chronological order:
>  -8sarge2 security update to fix:
>   potential DoS attack with malformed multi-part messages (closes: #358892) [CVE-2006-0052]
>  -8sarge3 maintainer update (that got frozen waiting for -8sarge2 to
>   happen in order not to conflict with it) to fix bug #358575, a
>   severity critical bug.
>   Uploaded to stable-proposed-updates in the night from 11 to 12
>   April 2006, where it created problems because -8sarge1 was to be
>   going in sarge r2, and having -8sarge3 appear confused
>   everything. Stable update team says something along the lines of
>   "will consider for sarge r3".

Apparently it has been installed in the archive.

>  -8sarge3 security update to fix:
>   formt string vulnerability [src/common.c, debian/patches/72_CVE-2006-2191.dpatch]
>   That security update has not been announced by a DSA, and cannot be
>   downloaded from
>   http://security.debian.org/pool/updates/main/m/mailman/ .
>   I don't have access to the source of this package. It was apparently
>   prepared by Martin "Joey" Schulze on 13 May 2006.

Umh?  But where is it?  I don't have it either.  I have recorded the
patch to fix this vulnerability, though.  It's attached.

> As a maintainer of Mailman, I have no recollection of being notified
> of CVE-2006-2191 (it is possible I have missed the notification, but
> my email archives do not contain anything relevant with subject
> "mailman" and 2191 in the body); the CVE entry at mitre.org contains
> no information. I have no idea whether this security problem affects
> the version in sid or not, I have no precise information _what_ this
> security problem is.

I found a trace.  Apparently this problem has been considered not
exploitable later, and hence the issue was disregarded.  The
researcher was Karl Chen.  He suggested to file a normal bug then.  If
that has happened, you should have (had) it in your bug list.

> The situation right now:
>  - sarge r3 contains mailman 2.1.5-8sarge3, but some architectures
>    have the security update (such as i386) and others have the
>    maintainer update (such as source, sparc and alpha).
>    Thus all architectures are screwed up in one way or the other.


This is an interesting screwup...

> So, please, security team, tell us about CVE-2006-2191. If
> appropriate, issue a DSA about it, for a package under version number
> -8sarge4, built on top of -8sarge3 the maintainer update. Please give
> us (the mailman-in-Debian maintainers) the information needed to fix
> CVE-2006-2191 in sid, or make a retroactive note in the changelog to
> note when it was fixed by a new upstream version.

I'll forward you the mails wrt this issue.

Guess we didn't contact you earlier because it became a non-issue.

> Stable release team, please react accordingly; you may for example do
> a binary sourceless NMU for the architectures that have -8sarge3 the
> security update so that they all have -8sarge3 the maintainer update.

Imho, it's more useful to upload 2.1.5-8sarge4 and only bump the
version number to get the new version built for all architectures into
the archive.



Linux - the choice of a GNU generation.

Please always Cc to me when replying to me on the lists.

Reply to: