Issued:
2011-03-01
Updated:
2011-03-01

RHSA-2011:0307 - Security Advisory

Synopsis

Moderate: mailman security update

Type/Severity

Security Advisory: Moderate

Topic

An updated mailman package that fixes multiple security issues is now
available for Red Hat Enterprise Linux 4 and 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Description

Mailman is a program used to help manage email discussion lists.

Multiple input sanitization flaws were found in the way Mailman displayed
usernames of subscribed users on certain pages. If a user who is subscribed
to a mailing list were able to trick a victim into visiting one of those
pages, they could perform a cross-site scripting (XSS) attack against the
victim. (CVE-2011-0707)

Multiple input sanitization flaws were found in the way Mailman displayed
mailing list information. A mailing list administrator could use this flaw
to conduct a cross-site scripting (XSS) attack against victims viewing a
list's "listinfo" page. (CVE-2008-0564, CVE-2010-3089)

Red Hat would like to thank Mark Sapiro for reporting the CVE-2011-0707 and
CVE-2010-3089 issues.

Users of mailman should upgrade to this updated package, which contains
backported patches to correct these issues.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

  • Red Hat Enterprise Linux Server 5 x86_64
  • Red Hat Enterprise Linux Server 5 ia64
  • Red Hat Enterprise Linux Server 5 i386
  • Red Hat Enterprise Linux Server 4 x86_64
  • Red Hat Enterprise Linux Server 4 ia64
  • Red Hat Enterprise Linux Server 4 i386
  • Red Hat Enterprise Linux Server - Extended Update Support 5.6 x86_64
  • Red Hat Enterprise Linux Server - Extended Update Support 5.6 ia64
  • Red Hat Enterprise Linux Server - Extended Update Support 5.6 i386
  • Red Hat Enterprise Linux Server - Extended Update Support 4.8 x86_64
  • Red Hat Enterprise Linux Server - Extended Update Support 4.8 ia64
  • Red Hat Enterprise Linux Server - Extended Update Support 4.8 i386
  • Red Hat Enterprise Linux Server - AUS 5.6 x86_64
  • Red Hat Enterprise Linux Server - AUS 5.6 ia64
  • Red Hat Enterprise Linux Server - AUS 5.6 i386
  • Red Hat Enterprise Linux Workstation 5 x86_64
  • Red Hat Enterprise Linux Workstation 5 i386
  • Red Hat Enterprise Linux Workstation 4 x86_64
  • Red Hat Enterprise Linux Workstation 4 ia64
  • Red Hat Enterprise Linux Workstation 4 i386
  • Red Hat Enterprise Linux Desktop 4 x86_64
  • Red Hat Enterprise Linux Desktop 4 i386
  • Red Hat Enterprise Linux for IBM z Systems 5 s390x
  • Red Hat Enterprise Linux for IBM z Systems 4 s390x
  • Red Hat Enterprise Linux for IBM z Systems 4 s390
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.6 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.8 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.8 s390
  • Red Hat Enterprise Linux for Power, big endian 5 ppc
  • Red Hat Enterprise Linux for Power, big endian 4 ppc
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.6 ppc
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.8 ppc
  • Red Hat Enterprise Linux Server from RHUI 5 x86_64
  • Red Hat Enterprise Linux Server from RHUI 5 i386
  • Red Hat Enterprise Linux Server - Extended Update Support from RHUI 5.6 x86_64
  • Red Hat Enterprise Linux Server - Extended Update Support from RHUI 5.6 i386

Fixes

  • BZ - 431526 - CVE-2008-0564 mailman: XSS triggerable by list administrator
  • BZ - 631881 - CVE-2010-3089 mailman: Multiple security flaws leading to cross-site scripting (XSS) attacks
  • BZ - 677375 - CVE-2011-0707 Mailman: Three XSS flaws due improper escaping of the full name of the member

CVEs

References

Red Hat Enterprise Linux Server 5

SRPM
mailman-2.1.9-6.el5_6.1.src.rpm SHA-256: 23687bc37a2085061154261d2b3dd016f7b3ae61d8cec9a9b3a41b5c1a6ac883
x86_64
mailman-2.1.9-6.el5_6.1.x86_64.rpm SHA-256: bc9e0f165a9d189b627c94f1ba5b85b9e4d797e40c5805b292d73e92ee5086c2
ia64
mailman-2.1.9-6.el5_6.1.ia64.rpm SHA-256: bc5d1fe55c4a57544b97c97619a1094851c0a3991edae157dbd407e06e654d67
i386
mailman-2.1.9-6.el5_6.1.i386.rpm SHA-256: 2e93c91b2b127e50c16dd4ea44352a3409aebde2da70bfbaba777d059d5cdbdd

Red Hat Enterprise Linux Server 4

SRPM
mailman-2.1.5.1-34.rhel4.7.src.rpm SHA-256: 758954b5dd674290ee40679ca00928e99583a2df92d9517cbc683d70c6010cf0
x86_64
mailman-2.1.5.1-34.rhel4.7.x86_64.rpm SHA-256: f37699d4d7291fa543dafd8762e1e309ab517008173448dd1dcce451094503ac
mailman-2.1.5.1-34.rhel4.7.x86_64.rpm SHA-256: f37699d4d7291fa543dafd8762e1e309ab517008173448dd1dcce451094503ac
ia64
mailman-2.1.5.1-34.rhel4.7.ia64.rpm SHA-256: 22a968b7345fcc5a83406118616c24a593313eb50e5f2b42c9da5a2388220078
mailman-2.1.5.1-34.rhel4.7.ia64.rpm SHA-256: 22a968b7345fcc5a83406118616c24a593313eb50e5f2b42c9da5a2388220078
i386
mailman-2.1.5.1-34.rhel4.7.i386.rpm SHA-256: 3729f0fd3f081b150eb2892e9d4dd1a16d19f89a83b984778dac48052ae92ccb
mailman-2.1.5.1-34.rhel4.7.i386.rpm SHA-256: 3729f0fd3f081b150eb2892e9d4dd1a16d19f89a83b984778dac48052ae92ccb

Red Hat Enterprise Linux Server - Extended Update Support 5.6

SRPM
mailman-2.1.9-6.el5_6.1.src.rpm SHA-256: 23687bc37a2085061154261d2b3dd016f7b3ae61d8cec9a9b3a41b5c1a6ac883
x86_64
mailman-2.1.9-6.el5_6.1.x86_64.rpm SHA-256: bc9e0f165a9d189b627c94f1ba5b85b9e4d797e40c5805b292d73e92ee5086c2
ia64
mailman-2.1.9-6.el5_6.1.ia64.rpm SHA-256: bc5d1fe55c4a57544b97c97619a1094851c0a3991edae157dbd407e06e654d67
i386
mailman-2.1.9-6.el5_6.1.i386.rpm SHA-256: 2e93c91b2b127e50c16dd4ea44352a3409aebde2da70bfbaba777d059d5cdbdd

Red Hat Enterprise Linux Server - Extended Update Support 4.8

SRPM
mailman-2.1.5.1-34.rhel4.7.src.rpm SHA-256: 758954b5dd674290ee40679ca00928e99583a2df92d9517cbc683d70c6010cf0
x86_64
mailman-2.1.5.1-34.rhel4.7.x86_64.rpm SHA-256: f37699d4d7291fa543dafd8762e1e309ab517008173448dd1dcce451094503ac
mailman-2.1.5.1-34.rhel4.7.x86_64.rpm SHA-256: f37699d4d7291fa543dafd8762e1e309ab517008173448dd1dcce451094503ac
ia64
mailman-2.1.5.1-34.rhel4.7.ia64.rpm SHA-256: 22a968b7345fcc5a83406118616c24a593313eb50e5f2b42c9da5a2388220078
mailman-2.1.5.1-34.rhel4.7.ia64.rpm SHA-256: 22a968b7345fcc5a83406118616c24a593313eb50e5f2b42c9da5a2388220078
i386
mailman-2.1.5.1-34.rhel4.7.i386.rpm SHA-256: 3729f0fd3f081b150eb2892e9d4dd1a16d19f89a83b984778dac48052ae92ccb
mailman-2.1.5.1-34.rhel4.7.i386.rpm SHA-256: 3729f0fd3f081b150eb2892e9d4dd1a16d19f89a83b984778dac48052ae92ccb

Red Hat Enterprise Linux Workstation 4

SRPM
mailman-2.1.5.1-34.rhel4.7.src.rpm SHA-256: 758954b5dd674290ee40679ca00928e99583a2df92d9517cbc683d70c6010cf0
x86_64
mailman-2.1.5.1-34.rhel4.7.x86_64.rpm SHA-256: f37699d4d7291fa543dafd8762e1e309ab517008173448dd1dcce451094503ac
ia64
mailman-2.1.5.1-34.rhel4.7.ia64.rpm SHA-256: 22a968b7345fcc5a83406118616c24a593313eb50e5f2b42c9da5a2388220078
i386
mailman-2.1.5.1-34.rhel4.7.i386.rpm SHA-256: 3729f0fd3f081b150eb2892e9d4dd1a16d19f89a83b984778dac48052ae92ccb

Red Hat Enterprise Linux Desktop 4

SRPM
mailman-2.1.5.1-34.rhel4.7.src.rpm SHA-256: 758954b5dd674290ee40679ca00928e99583a2df92d9517cbc683d70c6010cf0
x86_64
mailman-2.1.5.1-34.rhel4.7.x86_64.rpm SHA-256: f37699d4d7291fa543dafd8762e1e309ab517008173448dd1dcce451094503ac
i386
mailman-2.1.5.1-34.rhel4.7.i386.rpm SHA-256: 3729f0fd3f081b150eb2892e9d4dd1a16d19f89a83b984778dac48052ae92ccb

Red Hat Enterprise Linux for IBM z Systems 5

SRPM
mailman-2.1.9-6.el5_6.1.src.rpm SHA-256: 23687bc37a2085061154261d2b3dd016f7b3ae61d8cec9a9b3a41b5c1a6ac883
s390x
mailman-2.1.9-6.el5_6.1.s390x.rpm SHA-256: 1bc5dba92591bf900ee23b1dddc5e81250e6138f509883289f8dd7385c263f43

Red Hat Enterprise Linux for IBM z Systems 4

SRPM
mailman-2.1.5.1-34.rhel4.7.src.rpm SHA-256: 758954b5dd674290ee40679ca00928e99583a2df92d9517cbc683d70c6010cf0
s390x
mailman-2.1.5.1-34.rhel4.7.s390x.rpm SHA-256: d1c4a5393e7eb0a7910701ac37c9fb80e987105bb8da44b98b2401991f6f8246
s390
mailman-2.1.5.1-34.rhel4.7.s390.rpm SHA-256: 847bbc41d9b396fce27d775c6f08d9a5357a05713fd07082f0533cb667631c84

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.6

SRPM
mailman-2.1.9-6.el5_6.1.src.rpm SHA-256: 23687bc37a2085061154261d2b3dd016f7b3ae61d8cec9a9b3a41b5c1a6ac883
s390x
mailman-2.1.9-6.el5_6.1.s390x.rpm SHA-256: 1bc5dba92591bf900ee23b1dddc5e81250e6138f509883289f8dd7385c263f43

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.8

SRPM
mailman-2.1.5.1-34.rhel4.7.src.rpm SHA-256: 758954b5dd674290ee40679ca00928e99583a2df92d9517cbc683d70c6010cf0
s390x
mailman-2.1.5.1-34.rhel4.7.s390x.rpm SHA-256: d1c4a5393e7eb0a7910701ac37c9fb80e987105bb8da44b98b2401991f6f8246
s390
mailman-2.1.5.1-34.rhel4.7.s390.rpm SHA-256: 847bbc41d9b396fce27d775c6f08d9a5357a05713fd07082f0533cb667631c84

Red Hat Enterprise Linux for Power, big endian 4

SRPM
mailman-2.1.5.1-34.rhel4.7.src.rpm SHA-256: 758954b5dd674290ee40679ca00928e99583a2df92d9517cbc683d70c6010cf0
ppc
mailman-2.1.5.1-34.rhel4.7.ppc.rpm SHA-256: 66dd367eb69fb97d334ea32d378ad2f7d3d99de7854370e0680e9b6e501055df

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.6

SRPM
mailman-2.1.9-6.el5_6.1.src.rpm SHA-256: 23687bc37a2085061154261d2b3dd016f7b3ae61d8cec9a9b3a41b5c1a6ac883
ppc
mailman-2.1.9-6.el5_6.1.ppc.rpm SHA-256: bf7d7169dfc83d65a4053b2d573ae714ba1275a927b4dff4d470f1d2e1cd72f1

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.8

SRPM
mailman-2.1.5.1-34.rhel4.7.src.rpm SHA-256: 758954b5dd674290ee40679ca00928e99583a2df92d9517cbc683d70c6010cf0
ppc
mailman-2.1.5.1-34.rhel4.7.ppc.rpm SHA-256: 66dd367eb69fb97d334ea32d378ad2f7d3d99de7854370e0680e9b6e501055df

Red Hat Enterprise Linux Server from RHUI 5

SRPM
mailman-2.1.9-6.el5_6.1.src.rpm SHA-256: 23687bc37a2085061154261d2b3dd016f7b3ae61d8cec9a9b3a41b5c1a6ac883
x86_64
mailman-2.1.9-6.el5_6.1.x86_64.rpm SHA-256: bc9e0f165a9d189b627c94f1ba5b85b9e4d797e40c5805b292d73e92ee5086c2
i386
mailman-2.1.9-6.el5_6.1.i386.rpm SHA-256: 2e93c91b2b127e50c16dd4ea44352a3409aebde2da70bfbaba777d059d5cdbdd

Red Hat Enterprise Linux Server - Extended Update Support from RHUI 5.6

SRPM
mailman-2.1.9-6.el5_6.1.src.rpm SHA-256: 23687bc37a2085061154261d2b3dd016f7b3ae61d8cec9a9b3a41b5c1a6ac883
x86_64
mailman-2.1.9-6.el5_6.1.x86_64.rpm SHA-256: bc9e0f165a9d189b627c94f1ba5b85b9e4d797e40c5805b292d73e92ee5086c2
i386
mailman-2.1.9-6.el5_6.1.i386.rpm SHA-256: 2e93c91b2b127e50c16dd4ea44352a3409aebde2da70bfbaba777d059d5cdbdd

Red Hat Enterprise Linux Server - AUS 5.6

SRPM
mailman-2.1.9-6.el5_6.1.src.rpm SHA-256: 23687bc37a2085061154261d2b3dd016f7b3ae61d8cec9a9b3a41b5c1a6ac883
x86_64
mailman-2.1.9-6.el5_6.1.x86_64.rpm SHA-256: bc9e0f165a9d189b627c94f1ba5b85b9e4d797e40c5805b292d73e92ee5086c2
ia64
mailman-2.1.9-6.el5_6.1.ia64.rpm SHA-256: bc5d1fe55c4a57544b97c97619a1094851c0a3991edae157dbd407e06e654d67
i386
mailman-2.1.9-6.el5_6.1.i386.rpm SHA-256: 2e93c91b2b127e50c16dd4ea44352a3409aebde2da70bfbaba777d059d5cdbdd

Red Hat Enterprise Linux Workstation 5

SRPM
mailman-2.1.9-6.el5_6.1.src.rpm SHA-256: 23687bc37a2085061154261d2b3dd016f7b3ae61d8cec9a9b3a41b5c1a6ac883
x86_64
mailman-2.1.9-6.el5_6.1.x86_64.rpm SHA-256: bc9e0f165a9d189b627c94f1ba5b85b9e4d797e40c5805b292d73e92ee5086c2
i386
mailman-2.1.9-6.el5_6.1.i386.rpm SHA-256: 2e93c91b2b127e50c16dd4ea44352a3409aebde2da70bfbaba777d059d5cdbdd

Red Hat Enterprise Linux for Power, big endian 5

SRPM
mailman-2.1.9-6.el5_6.1.src.rpm SHA-256: 23687bc37a2085061154261d2b3dd016f7b3ae61d8cec9a9b3a41b5c1a6ac883
ppc
mailman-2.1.9-6.el5_6.1.ppc.rpm SHA-256: bf7d7169dfc83d65a4053b2d573ae714ba1275a927b4dff4d470f1d2e1cd72f1

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.