mailman vulnerabilities

11 January 2005

mailman vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 4.10

Software Description

Details

Florian Weimer discovered a cross-site scripting vulnerability in mailman’s automatically generated error messages. An attacker could craft an URL containing JavaScript (or other content embedded into HTML) which triggered a mailman error page. When an unsuspecting user followed this URL, the malicious content was copied unmodified to the error page and executed in the context of this page.

Juha-Matti Tapio discovered an information disclosure in the private rosters management. Everybody could check whether a specified email address was subscribed to a private mailing list by looking at the error message. This bug was Ubuntu/Debian specific.

Important note:

There is currently another known vulnerability: when an user subscribes to a mailing list without choosing a password, mailman automatically generates one. However, there are only about 5 million different possible passwords which allows brute force attacks.

A different password generation algorithm already exists, but is currently too immature to be put into a stable release security update. Therefore it is advisable to always explicitly choose a password for subscriptions, at least until this gets fixed in Warty Warthog.

See https://bugzilla.ubuntu.com/4892 for details.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 4.10

mailman

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

References

• CVE-2004-1177
• http://bugs.debian.org/285839