[Secure-testing-commits] r8076 - data/CVE
thijs at alioth.debian.org
thijs at alioth.debian.org
Tue Feb 5 07:33:04 UTC 2008
Author: thijs
Date: 2008-02-05 07:33:04 +0000 (Tue, 05 Feb 2008)
New Revision: 8076
Modified:
data/CVE/list
Log:
new mailman XSS issue requires to be authenticated as list admin, which means
you already have a lot of power over the list. No DSA for this issue in itself,
I will take care of updating sid soon.
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2008-02-04 22:41:34 UTC (rev 8075)
+++ data/CVE/list 2008-02-05 07:33:04 UTC (rev 8076)
@@ -1,3 +1,12 @@
+CVE-2008-0564 [mailman xss as list admin]
+ - mailman <unfixed> (low)
+ [etch] - mailman <no-dsa> (Minor issue)
+ [sarge] - mailman <no-dsa> (Minor issue)
+ NOTE: Someone authenticated as list admin can insert malicious script
+ NOTE: into list templates. This already consists of a high degree of
+ NOTE: control over the mailinglist, so not a very important issue.
+ NOTE: This enhances the fix for CVE-2006-3636.
+ NOTE: http://mail.python.org/pipermail/mailman-announce/2008-February/000095.html
CVE-2008-XXXX [insecure tmp file usage in webwml]
- wml <unfixed> (low; bug #463907)
[sarge] - wml <not-affected> (Vulnerable code is patched to use mkdtemp)
More information about the Secure-testing-commits
mailing list