Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2001.539 -- Debian Security Advisory DSA-094-1 mailman cross-site scripting problem 17 December 2001 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: mailman Vendor: Debian Operating System: Debian GNU/Linux 2.2 Platform: Alpha ARM i386 Motorola 680x0 PowerPC SPARC Impact: Reduced Security Access Required: Remote - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- - - ------------------------------------------------------------------------ Debian Security Advisory DSA-094-1 security@debian.org http://www.debian.org/security/ Wichert Akkerman December 16, 2001 - - ------------------------------------------------------------------------ Package : mailman Problem type : cross-site scripting hole Debian-specific: no Barry A. Warsaw reported several cross-site scripting security holes in Mailman, due to non-existent escaping of CGI variables. These have been fixed upstream in version 2.0.8, and the relevant patches have been backported to version 1.1-10 in Debian. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. Debian GNU/Linux 2.2 alias potato - - --------------------------------- Potato was released for alpha, arm, i386, m68k, powerpc and sparc. Source archives: http://security.debian.org/dists/stable/updates/main/source/mailman_1.1-10.diff.gz MD5 checksum: a9ae9e389e13622a9dd8a70a6a57f2b7 http://security.debian.org/dists/stable/updates/main/source/mailman_1.1-10.dsc MD5 checksum: 8c77bc3c07be39e8ced4d85882eedf21 http://security.debian.org/dists/stable/updates/main/source/mailman_1.1.orig.tar.gz MD5 checksum: 42d499f4e1de6959c50b20a4eb0f432a Alpha architecture: http://security.debian.org/dists/stable/updates/main/binary-alpha/mailman_1.1-10_alpha.deb MD5 checksum: 67f8c3c723ec8797117d1fed29f41369 ARM architecture: http://security.debian.org/dists/stable/updates/main/binary-arm/mailman_1.1-10_arm.deb MD5 checksum: 80d1fbee3ae7bab5e73ce860b4d8da87 Intel IA-32 architecture: http://security.debian.org/dists/stable/updates/main/binary-i386/mailman_1.1-10_i386.deb MD5 checksum: 27c9d400360a99b39954f563f5d0ed43 Motorola 680x0 architecture: http://security.debian.org/dists/stable/updates/main/binary-m68k/mailman_1.1-10_m68k.deb MD5 checksum: 2a62ce782f5510f24458050e4c3331d9 PowerPC architecture: http://security.debian.org/dists/stable/updates/main/binary-powerpc/mailman_1.1-10_powerpc.deb MD5 checksum: 9239fc74b76ec983b3009a194dc4ce2c Sun Sparc architecture: http://security.debian.org/dists/stable/updates/main/binary-sparc/mailman_1.1-10_sparc.deb MD5 checksum: ad498878cdc9901e92e4b775e023f610 These packages will be moved into the stable distribution on its next revision. For not yet released architectures please refer to the appropriate directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ . - - -- - - ---------------------------------------------------------------------------- apt-get: deb http://security.debian.org/ stable/updates main dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQB1AwUBPBv8AajZR/ntlUftAQGIBgMAqrY9ILYTVBAZh4prGb7/Tk40/A1hAWG4 E5K6NzanvsDbbhQwPafOumUazCVnJa+GSwA/ydhektBXdwR4bv6DIfpOS7nJ4o/R Po2pptcNrd/r7XaDDxHWraxk6llTznoI =o1Zc - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBPB4daCh9+71yA2DNAQHgiQP/RzV7TtC/s86qGAasPWh72bfOwVGhwIhJ NnroT2bpzUgk/ZZvmZfPR2djRf03gLV1FJPrsE3LACIzcJK9dEbcTP1mptDqiZkR yCE787xr5ZlvUQfRLBBDVmRLb7zn4jCziFnJDqsH33qYWvvSDDYRyiJOdYONG2pZ FsBfeDWYQpU= =ZEeW -----END PGP SIGNATURE-----