[Pkg-mailman-hackers] Bug#358892: Mailman DoS CVE-2006-0052,
debbug #358892
Lionel Elie Mamane
lmamane at debian.org
Wed Mar 29 19:44:35 UTC 2006
(Please don't hijack old threads about different issues, in particular
not without changing the subject line.)
On Wed, Mar 29, 2006 at 08:15:40PM +0100, Steve Kemp wrote:
> Package for Sarge at:
> http://people.debian.org/~skx/updates/mailman/
> Potential advisory text - need to know which version in sid
> will fix it.
Sid and etch are not vulnerable; problem was fixed in upstream 2.1.6;
etch contains 2.1.7-1; it was fixed in sid (without even realising it)
with the upload of 2.1.6-1 on Sun, 25 Dec 2005.
Please take this opportunity to retroactively add to the changelog of
2.1.5-8sarge1 that the
* Don't die on overflow in date handling, which could lead to a DoS
attack (closes: #326024)
is CVE-2005-4153.
Also add (closes: #358892) to your changelog entry.
> Package : mailman
> Vulnerability : denial of service
> Problem-Type : remote
> Debian-specific: no
> CVE ID : CVE-2006-0052
Debian Bug : 358892
> A potential denial of service problem has been discovered in mailman,
> the web-based GNU mailing list manager. The Common Vulnerabilities and
> Exposures project identifies the following problems:
We should give more details, because there have been two other DoS
vulnerabilities recently, so we don't want people to get confused. I
propose something along the lines of:
A potential denial of service problem has been discovered in mailman,
the web-based GNU mailing list manager. The (failing) parsing of
messages with malformed mime multiparts sometimes caused the whole
mailing list to become inoperative.
> The old stable distribution (woody) is not vulnerable to this issue.
> For the unstable distribution (sid) this problem will be fixed soon.
--
Lionel
More information about the Pkg-mailman-hackers
mailing list