Home page logo

fulldisclosure logo Full Disclosure mailing list archives

[USN-78-1] Mailman vulnerability
From: Martin Pitt <martin.pitt () canonical com>
Date: Wed, 9 Feb 2005 22:43:55 +0100

Ubuntu Security Notice USN-78-1           February 09, 2005
mailman vulnerabilities

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:


The problem can be corrected by upgrading the affected package to
version 2.1.5-1ubuntu2.3.  In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

An path traversal vulnerability has been discovered in the "private"
module of Mailman. A flawed path sanitation algorithm allowed the
construction of URLS to arbitrary files readable by Mailman. This
allowed a remote attacker to retrieve configuration and password
databases, private list archives, and other files.

  Source archives:

      Size/MD5:   127209 e37f6db6c8865ce3ef25f059b2eb953d
      Size/MD5:      658 01146e7ec488733d760c14c58f5267db
      Size/MD5:  5745912 f5f56f04747cd4aff67427e7a45631af

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

      Size/MD5:  6602410 4f9448fabe11cb71d8946820988cd92c

  i386 architecture (x86 compatible Intel/AMD)

      Size/MD5:  6601808 dda12aca142243dac243268acd9109e8

  powerpc architecture (Apple Macintosh G3/G4/G5)

      Size/MD5:  6610862 135e0c700546df9a4ff65025a9edaeea

Attachment: signature.asc
Description: Digital signature

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • [USN-78-1] Mailman vulnerability Martin Pitt (Feb 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]