Discussion:
Mailman vulnerability
Martin Marques
2006-10-05 12:19:48 UTC
Permalink
I have a FC4 web server installed and got this mailman report:

http://www.securityfocus.com/bid/19831/discuss

Is it to worry?

I am thinking about promoting it to FC5 but as it is a server in
production I want to make a very good plan first.

--
21:50:04 up 2 days, 9:07, 0 users, load average: 0.92, 0.37, 0.18
---------------------------------------------------------
Lic. Martín Marqués | SELECT 'mmarques' ||
Centro de Telemática | '@' || 'unl.edu.ar';
Universidad Nacional | DBA, Programador,
del Litoral | Administrador
---------------------------------------------------------
Michal Jaegermann
2006-10-05 16:12:45 UTC
Permalink
Post by Martin Marques
http://www.securityfocus.com/bid/19831/discuss
Is it to worry?
Probably. See also http://rhn.redhat.com/errata/RHSA-2006-0600.html

FC4 is using mailman-2.1.5-35 so fixes in sources used by
RHEL4, as specified by RHSA-2006-0600, will likely apply directly
or after minimal modifications. You can produce your own
update before something general eventually will show up.
Add patches, edit specs and rebuild rpm.

Michal
Martin Marques
2006-10-07 14:51:43 UTC
Permalink
Post by Michal Jaegermann
Post by Martin Marques
http://www.securityfocus.com/bid/19831/discuss
Is it to worry?
Probably. See also http://rhn.redhat.com/errata/RHSA-2006-0600.html
FC4 is using mailman-2.1.5-35 so fixes in sources used by
Nop.

# rpm -qa | grep mailman
mailman-2.1.8-0.FC4.1
Post by Michal Jaegermann
RHEL4, as specified by RHSA-2006-0600, will likely apply directly
or after minimal modifications. You can produce your own
update before something general eventually will show up.
Add patches, edit specs and rebuild rpm.
I'm getting the source rpm, and I'll try to apply the patch.

Do I submit the src.rpm afterwards?

--
21:50:04 up 2 days, 9:07, 0 users, load average: 0.92, 0.37, 0.18
---------------------------------------------------------
Lic. Martín Marqués | SELECT 'mmarques' ||
Centro de Telemática | '@' || 'unl.edu.ar';
Universidad Nacional | DBA, Programador,
del Litoral | Administrador
---------------------------------------------------------
Martin Marques
2006-11-08 11:45:40 UTC
Permalink
Post by Michal Jaegermann
Post by Martin Marques
http://www.securityfocus.com/bid/19831/discuss
Is it to worry?
Probably. See also http://rhn.redhat.com/errata/RHSA-2006-0600.html
FC4 is using mailman-2.1.5-35 so fixes in sources used by
RHEL4, as specified by RHSA-2006-0600, will likely apply directly
or after minimal modifications. You can produce your own
update before something general eventually will show up.
Add patches, edit specs and rebuild rpm.
Sorry for the delay. I'm working on this right now. But I found that
patches for RHEL are for mailman 2.1.5 and we are on 2.1.8, making patches
fail. So I'm trying to build new patches based on the RHEL ones.

Would you people like to see the patches first or do I send the src.rpm?

--
21:50:04 up 2 days, 9:07, 0 users, load average: 0.92, 0.37, 0.18
---------------------------------------------------------
Lic. Martín Marqués | SELECT 'mmarques' ||
Centro de Telemática | '@' || 'unl.edu.ar';
Universidad Nacional | DBA, Programador,
del Litoral | Administrador
---------------------------------------------------------
Jesse Keating
2006-11-08 12:19:02 UTC
Permalink
Post by Martin Marques
Would you people like to see the patches first or do I send the src.rpm?
Either way. We now manage FC-4 in CVS so adding just a patch to generate a
updates-testing rpm is easy enough.
--
Jesse Keating
Release Engineer: Fedora
Martin Marques
2006-11-08 13:22:06 UTC
Permalink
Post by Jesse Keating
Post by Martin Marques
Would you people like to see the patches first or do I send the src.rpm?
Either way. We now manage FC-4 in CVS so adding just a patch to generate a
updates-testing rpm is easy enough.
Excelent, because this one is giving me a hard time (attached file). I get
this error when trying to build the rpm:

Patch #9 (mailman-2.1-CVE-2006-3636.patch):
+ patch -p1 -b --suffix .CVE-2006-3636 -s
9 out of 9 hunks FAILED -- saving rejects to file
Mailman/Cgi/edithtml.py.rej
error: Bad exit status from /var/tmp/rpm-tmp.59741 (%prep)


--
21:50:04 up 2 days, 9:07, 0 users, load average: 0.92, 0.37, 0.18
---------------------------------------------------------
Lic. Martín Marqués | SELECT 'mmarques' ||
Centro de Telemática | '@' || 'unl.edu.ar';
Universidad Nacional | DBA, Programador,
del Litoral | Administrador
---------------------------------------------------------
Martin Marques
2006-11-14 19:56:27 UTC
Permalink
Post by Jesse Keating
Post by Martin Marques
Would you people like to see the patches first or do I send the src.rpm?
Either way. We now manage FC-4 in CVS so adding just a patch to generate a
updates-testing rpm is easy enough.
OK. I finished adding patches to mailman from RHEL to FC4, risulting in
the next src.rpm:

http://bugs.unl.edu.ar/~martin/mailman-2.1.8-1.FC4.1.legacy.src.rpm

Also have a binary:

http://bugs.unl.edu.ar/~martin/mailman-2.1.8-1.FC4.1.legacy.i386.rpm

At this moment I can't test the rpm because the only FC4 I have is a
dedicated server. But be sure that the only change I add from privoius
version was add the las 2 patches (see the .spec file).

Let me know how things work out.

--
21:50:04 up 2 days, 9:07, 0 users, load average: 0.92, 0.37, 0.18
---------------------------------------------------------
Lic. Martín Marqués | SELECT 'mmarques' ||
Centro de Telemática | '@' || 'unl.edu.ar';
Universidad Nacional | DBA, Programador,
del Litoral | Administrador
---------------------------------------------------------
David Eisenstein
2006-11-15 06:50:46 UTC
Permalink
Post by Martin Marques
Post by Jesse Keating
Post by Martin Marques
Would you people like to see the patches first or do I send the src.rpm?
Either way. We now manage FC-4 in CVS so adding just a patch to generate a
updates-testing rpm is easy enough.
OK. I finished adding patches to mailman from RHEL to FC4, risulting in
http://bugs.unl.edu.ar/~martin/mailman-2.1.8-1.FC4.1.legacy.src.rpm
http://bugs.unl.edu.ar/~martin/mailman-2.1.8-1.FC4.1.legacy.i386.rpm
At this moment I can't test the rpm because the only FC4 I have is a
dedicated server. But be sure that the only change I add from privoius
version was add the las 2 patches (see the .spec file).
Let me know how things work out.
Thanks a bunch, Martin! :) Info on your source package has been placed
into Bugzilla #209891 <http://tinyurl.com/yje83r>, and hopefully we'll soon
have this QA'ed and published in the Legacy repositories!

We still need work on the FC3 version of this package:
mailman-2.1.5-32.fc3.src.rpm
in Bugzilla #211676.

Thanks again. :) -David
Martin Marques
2006-11-15 14:25:23 UTC
Permalink
Post by David Eisenstein
mailman-2.1.5-32.fc3.src.rpm
in Bugzilla #211676.
This should be easier, as the patches I used from RHEL (attached in this mail) were for mailmail 2.1.5. Maybe they can be applied directly.

--
---------------------------------------------------------
Lic. Martín Marqués | SELECT 'mmarques' ||
Centro de Telemática | '@' || 'unl.edu.ar';
Universidad Nacional | DBA, Programador,
del Litoral | Administrador
---------------------------------------------------------
Martin Marques
2006-11-16 14:04:39 UTC
Permalink
Post by David Eisenstein
Thanks a bunch, Martin! :) Info on your source package has been placed
into Bugzilla #209891 <http://tinyurl.com/yje83r>, and hopefully we'll soon
have this QA'ed and published in the Legacy repositories!
mailman-2.1.5-32.fc3.src.rpm
in Bugzilla #211676.
Try this for FC3:

http://bugs.unl.edu.ar/~martin/mailman-2.1.5-33.fc3.legacy.src.rpm

All I did was add the 2 patches from RHEL. Check it out.

--
21:50:04 up 2 days, 9:07, 0 users, load average: 0.92, 0.37, 0.18
---------------------------------------------------------
Lic. Martín Marqués | SELECT 'mmarques' ||
Centro de Telemática | '@' || 'unl.edu.ar';
Universidad Nacional | DBA, Programador,
del Litoral | Administrador
---------------------------------------------------------

David Eisenstein
2006-10-07 15:13:52 UTC
Permalink
----- Original Message -----
From: "Martin Marques" <***@bugs.unl.edu.ar>
To: <fedora-legacy-***@redhat.com>
Sent: Thursday, October 05, 2006 7:19 AM
Subject: Mailman vulnerability
Post by Martin Marques
http://www.securityfocus.com/bid/19831/discuss
Is it to worry?
I am thinking about promoting it to FC5 but as it is a server in
production I want to make a very good plan first.
Hi Martin,

Thanks for writing. Indeed, these are issues that we in Legacy need to
deal with. As far as I can tell, the latest version of mailman released
for FC4 was mailman-2.1.8-9.FC4.1, released around 9-May-2006. The issue
discussed in that securityfocus BID 19831 indicates that mailman-2.1.8 is
vulnerable to those issues.

Red Hat Security Team (in RHSA-2006-0600) has rated two of the three CVE
issues mentioned in BID 19831 as having a moderate security impact:

"A flaw was found in the way Mailman handled MIME multipart mes-
sages. An attacker could send a carefully crafted MIME multipart
email message to a mailing list run by Mailman which caused that
particular mailing list to stop working. (CVE-2006-2941)

"Several cross-site scripting (XSS) issues were found in Mailman.
An attacker could exploit these issues to perform cross-site scrip-
ting attacks against the Mailman administrator. (CVE-2006-3636)"

The third issue is CVE-2006-4624: "CRLF injection vulnerability in
Utils.py in Mailman before 2.1.9rc1 allows remote attackers to spoof
messages in the error log and possibly trick the administrator into
visiting malicious URLs via a carriage return/line feed sequences in the
URI." This issue has been given a low security impact, and hasn't yet
been fixed by Red Hat Enterprise Linux. However, Fedora Core 6 Test 2
upgraded to mailman-2.1.9, which fixes all three problems.

Would you like us to do similarly for FC4/FC3?

Have entered Bug
<https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209891>
for this issue.

Regards,
David Eisenstein
David Eisenstein
2006-10-07 15:36:19 UTC
Permalink
----- Original Message -----
From: "Martin Marques" <***@bugs.unl.edu.ar>
To: "Discussion of the Fedora Legacy Project" <fedora-legacy-***@redhat.com>
Sent: Saturday, October 07, 2006 9:51 AM
Subject: Re: Mailman vulnerability
Post by Martin Marques
Post by Michal Jaegermann
Post by Martin Marques
http://www.securityfocus.com/bid/19831/discuss
Is it to worry?
Probably. See also http://rhn.redhat.com/errata/RHSA-2006-0600.html
FC4 is using mailman-2.1.5-35 so fixes in sources used by
Nop.
# rpm -qa | grep mailman
mailman-2.1.8-0.FC4.1
Post by Michal Jaegermann
RHEL4, as specified by RHSA-2006-0600, will likely apply directly
or after minimal modifications. You can produce your own
update before something general eventually will show up.
Add patches, edit specs and rebuild rpm.
Hi Martin!

Our emails must have crossed, so mine was at cross-purposes to what you
just wrote. :)
Post by Martin Marques
I'm getting the source rpm, and I'll try to apply the patch.
Do I submit the src.rpm afterwards?
Yes! If you get the patched mailman-2.1.8-0.FC4.1 to work okay with the
patches, please do post the .src.rpm on the web, and let us know you have
done so in Bugzilla Bug #209891! We can then test & QA it and work on
getting it released to updates.

Thanks! --David
Continue reading on narkive:
Loading...