__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Mailman Security Update [Red Hat RHSA-2006:0600-11] September 7, 2006 17:00 GMT Number Q-305 [REVISED 4 Oct 2006] ______________________________________________________________________________ PROBLEM: There are several security vulnerabilities in Mailman: 1) A flaw was found in the way Mailman handled MIME multipart messages; and 2) Several cross-site scripting (XSS) issues were found in Mailman. PLATFORM: Red Hat Desktop (v. 3 & v. 4) Red Hat Enterprise Linux AS, ES, WS (v. 3 & v. 4) Debian GNU/Linux 3.1 alias sarge DAMAGE: 1) An attacker could send a carefully crafted MIME multipart email message to a mailing list run by Mailman which caused that particular mailing list to stop working; and 2) An attacker could exploit these issues to perform cross-site scripting attacks against the Mailman administrator. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is LOW. 1) An attacker could send a carefully crafted ASSESSMENT: MIME multipart email message to a mailing list run by Mailman which caused that particular mailing list to stop working; and 2) An attacker could exploit these issues to perform cross-site scripting attacks against the Mailman administrator. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-305.shtml ORIGINAL BULLETIN: Red Hat RHSA-2006:0600-11 https://rhn.redhat.com/errata/RHSA-2006-0600.html ADDITIONAL LINK: Debian Security Advisory DSA-1188-1 http://www.debian.org/security/2006/dsa-1188 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2006-2941 CVE-2006-3636 ______________________________________________________________________________ REVISION HISTORY: 10/04/2006 - revised to add a link to Debian Security Advisory DSA-1188-1 for Debian GNU/Linux 3.1 alias sarge. [***** Start Red Hat RHSA-2006:0600-11 *****] Moderate: mailman security update Advisory: RHSA-2006:0600-11 Type: Security Advisory Issued on: 2006-09-06 Last updated on: 2006-09-06 Affected Products: Red Hat Desktop (v. 3) Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 3) Red Hat Enterprise Linux WS (v. 4) CVEs (cve.mitre.org): CVE-2006-2941 CVE-2006-3636 Details Updated mailman packages that fix security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Mailman is a program used to help manage email discussion lists. A flaw was found in the way Mailman handled MIME multipart messages. An attacker could send a carefully crafted MIME multipart email message to a mailing list run by Mailman which caused that particular mailing list to stop working. (CVE-2006-2941) Several cross-site scripting (XSS) issues were found in Mailman. An attacker could exploit these issues to perform cross-site scripting attacks against the Mailman administrator. (CVE-2006-3636) Red Hat would like to thank Barry Warsaw for disclosing these vulnerabilities. Users of Mailman should upgrade to these updated packages, which contain backported patches to correct this issue. Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. Updated packages Red Hat Desktop (v. 3) -------------------------------------------------------------------------------- SRPMS: mailman-2.1.5.1-25.rhel3.7.src.rpm aadc1f8f782b3bb77723aaf58f3075dd IA-32: mailman-2.1.5.1-25.rhel3.7.i386.rpm 06ad7a3f4da347456466fa4f5e2fa7c3 x86_64: mailman-2.1.5.1-25.rhel3.7.x86_64.rpm 13322c51c7935facde94c51751d9cfed Red Hat Desktop (v. 4) -------------------------------------------------------------------------------- SRPMS: mailman-2.1.5.1-34.rhel4.5.src.rpm c93f0d4ba430ee583e22565d46ad4ca7 IA-32: mailman-2.1.5.1-34.rhel4.5.i386.rpm 9ab4155e1c5510abf085c9af828f57eb x86_64: mailman-2.1.5.1-34.rhel4.5.x86_64.rpm 92921797e6bdab3c60f739a386e47d0b Red Hat Enterprise Linux AS (v. 3) -------------------------------------------------------------------------------- SRPMS: mailman-2.1.5.1-25.rhel3.7.src.rpm aadc1f8f782b3bb77723aaf58f3075dd IA-32: mailman-2.1.5.1-25.rhel3.7.i386.rpm 06ad7a3f4da347456466fa4f5e2fa7c3 IA-64: mailman-2.1.5.1-25.rhel3.7.ia64.rpm 930f1caafb3f9a52df581ec287688b77 PPC: mailman-2.1.5.1-25.rhel3.7.ppc.rpm 3b25506baa71db64e4b5f46891995348 s390: mailman-2.1.5.1-25.rhel3.7.s390.rpm 10d5202c49895d7cd7735fd26a631a18 s390x: mailman-2.1.5.1-25.rhel3.7.s390x.rpm c5db1d523b4ab0107c073d08da7fa067 x86_64: mailman-2.1.5.1-25.rhel3.7.x86_64.rpm 13322c51c7935facde94c51751d9cfed Red Hat Enterprise Linux AS (v. 4) -------------------------------------------------------------------------------- SRPMS: mailman-2.1.5.1-34.rhel4.5.src.rpm c93f0d4ba430ee583e22565d46ad4ca7 IA-32: mailman-2.1.5.1-34.rhel4.5.i386.rpm 9ab4155e1c5510abf085c9af828f57eb IA-64: mailman-2.1.5.1-34.rhel4.5.ia64.rpm a42338d32e130205035d1ffe852fa2d1 PPC: mailman-2.1.5.1-34.rhel4.5.ppc.rpm 44ad39bb47c903413d8b6ffd930263dd s390: mailman-2.1.5.1-34.rhel4.5.s390.rpm 338423bc0323023b04f177447ba01fb7 s390x: mailman-2.1.5.1-34.rhel4.5.s390x.rpm e2f64e5975246be9b939d0a6e878fa61 x86_64: mailman-2.1.5.1-34.rhel4.5.x86_64.rpm 92921797e6bdab3c60f739a386e47d0b Red Hat Enterprise Linux ES (v. 3) -------------------------------------------------------------------------------- SRPMS: mailman-2.1.5.1-25.rhel3.7.src.rpm aadc1f8f782b3bb77723aaf58f3075dd IA-32: mailman-2.1.5.1-25.rhel3.7.i386.rpm 06ad7a3f4da347456466fa4f5e2fa7c3 IA-64: mailman-2.1.5.1-25.rhel3.7.ia64.rpm 930f1caafb3f9a52df581ec287688b77 x86_64: mailman-2.1.5.1-25.rhel3.7.x86_64.rpm 13322c51c7935facde94c51751d9cfed Red Hat Enterprise Linux ES (v. 4) -------------------------------------------------------------------------------- SRPMS: mailman-2.1.5.1-34.rhel4.5.src.rpm c93f0d4ba430ee583e22565d46ad4ca7 IA-32: mailman-2.1.5.1-34.rhel4.5.i386.rpm 9ab4155e1c5510abf085c9af828f57eb IA-64: mailman-2.1.5.1-34.rhel4.5.ia64.rpm a42338d32e130205035d1ffe852fa2d1 x86_64: mailman-2.1.5.1-34.rhel4.5.x86_64.rpm 92921797e6bdab3c60f739a386e47d0b Red Hat Enterprise Linux WS (v. 3) -------------------------------------------------------------------------------- SRPMS: mailman-2.1.5.1-25.rhel3.7.src.rpm aadc1f8f782b3bb77723aaf58f3075dd IA-32: mailman-2.1.5.1-25.rhel3.7.i386.rpm 06ad7a3f4da347456466fa4f5e2fa7c3 IA-64: mailman-2.1.5.1-25.rhel3.7.ia64.rpm 930f1caafb3f9a52df581ec287688b77 x86_64: mailman-2.1.5.1-25.rhel3.7.x86_64.rpm 13322c51c7935facde94c51751d9cfed Red Hat Enterprise Linux WS (v. 4) -------------------------------------------------------------------------------- SRPMS: mailman-2.1.5.1-34.rhel4.5.src.rpm c93f0d4ba430ee583e22565d46ad4ca7 IA-32: mailman-2.1.5.1-34.rhel4.5.i386.rpm 9ab4155e1c5510abf085c9af828f57eb IA-64: mailman-2.1.5.1-34.rhel4.5.ia64.rpm a42338d32e130205035d1ffe852fa2d1 x86_64: mailman-2.1.5.1-34.rhel4.5.x86_64.rpm 92921797e6bdab3c60f739a386e47d0b (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 198344 - CVE-2006-2941 Mailman DoS 203704 - CVE-2006-3636 Mailman XSS issues References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2941 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3636 http://www.redhat.com/security/updates/classification/#moderate -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA-2006:0600-11 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-296: HP OpenView Storage Data Protector Q-297: Cisco Unintentional Password Modification Vulnerability in Cisco Firewall Products Q-298: Cisco VPN 3000 Concentrator FTP Management Vulnerabilities Q-299: VMware ESX Server 2.5.3 Upgrade Patch 2 Q-300: Security Vulnerability in the Sun Java System Content Delivery Server Q-301: pkgadd(1M) May Set Incorrect Permissions Q-302: mysql-dfsg-4.1 CIACTech06-001: Protecting Against SQL Injection Attacks Q-303: Multiple DoS Vulnerabilities in the BIND 9 Software Q-304: OpenSSL Security Update