[Pkg-mailman-hackers] Re: CVE-2006-2941: Mailman: DoS caused by
standards-breaking RFC 2231 formatted headers.
Lionel Elie Mamane
lionel at mamane.lu
Wed Sep 20 13:35:14 UTC 2006
On Tue, Sep 12, 2006 at 10:25:15AM +0200, Lionel Elie Mamane wrote:
> I tried to prepare an update for CVE-2006-2941 in Mailman. This was
> fixed upstream by updating the included python "email" package. But in
> Mailman-in-sarge, the included email package is not used at all. I
> believe it then uses the "email" package from python? This security
> issue then needs to be solved in python? Is not present at all in
> python's email package? I'm not sure. I'm confused.
I've taken a closer look to this. I'm now sure that:
- mailman as packaged in sarge uses the "email" python package
provided by python itself.
- the email package provided by python is version 2.5.5
- the fix in the email package that fixes CVE-2006-2941 for Mailman
is between email 2.5.7 and email 2.5.8.
I hence conclude:
- the python email package bug that leads to CVE-2006-2941 in Mailman
is present in python in sarge.
- it hence needs to be fixed in python.
Something based on the patch I sent in my previous mail should
do. That patch creates a file
"mailman-2.1.5/misc/CVE-2006-2941.patch"; that's the patch that should
(partially?) be applied to the email python package.
--
Lionel
More information about the Pkg-mailman-hackers
mailing list