{"id":"DSA-674-2","summary":"mailman - cross-site scripting, directory traversal","details":"\nDue to an incompatibility between Python 1.5 and 2.1 the last mailman\nupdate did not run with Python 1.5 anymore. This problem is corrected\nwith this update. This advisory only updates the packages updated\nwith DSA 674-2. The version in unstable is not affected since it is\nnot supposed to work with Python 1.5 anymore. For completeness below\nis the original advisory text:\n\n\n\n\u003e \n\u003e Two security related problems have been discovered in mailman,\n\u003e web-based GNU mailing list manager. The Common Vulnerabilities and\n\u003e Exposures project identifies the following problems:\n\u003e \n\u003e \n\u003e * [CAN-2004-1177](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1177)\n\u003e Florian Weimer discovered a cross-site scripting vulnerability in\n\u003e  mailman's automatically generated error messages. An attacker\n\u003e  could craft a URL containing JavaScript (or other content\n\u003e  embedded into HTML) which triggered a mailman error page that\n\u003e  would include the malicious code verbatim.\n\u003e \n\u003e * [CAN-2005-0202](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0202)\n\u003e Several listmasters have noticed unauthorised access to archives\n\u003e  of private lists and the list configuration itself, including the\n\u003e  users passwords. Administrators are advised to check the\n\u003e  webserver logfiles for requests that contain \"/...../\" and the\n\u003e  path to the archives or configuration. This does only seem to\n\u003e  affect installations running on web servers that do not strip\n\u003e  slashes, such as Apache 1.3.\n\u003e \n\u003e \n\u003e \n\n\nFor the stable distribution (woody) these problems have been fixed in\nversion 2.0.11-1woody11.\n\n\nFor the unstable distribution (sid) these problems have been fixed in\nversion 2.1.5-6.\n\n\nWe recommend that you upgrade your mailman package.\n\n\n","modified":"2022-07-04T02:01:11.244065Z","published":"2005-02-21T00:00:00Z","withdrawn":"2024-05-15T05:36:14.084508Z","schema_version":"1.7.3"}