Ubuntu
mailman package

mailman does not install

Bug #13112 reported by Debian Bug Importer
6
Affects Status Importance Assigned to Milestone
mailman (Debian)
Fix Released
Unknown
mailman (Ubuntu)
Invalid
High
Tollef Fog Heen

Bug Description

Automatically imported from Debian bug report #296119 http://bugs.debian.org/296119

See original description

CVE References

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #296119 http://bugs.debian.org/296119

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Sun, 20 Feb 2005 12:54:36 +0100
From: Arnout Boelens <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: mailman does not install

Package: mailman
Version: 2.0.11-1woody10
Severity: grave
Justification: renders package unusable

When I try to install the latest security update of mailman I get the
following error:

  File "/usr/lib/mailman/Mailman/Cgi/private.py", line 82
      parts = [x for x in path.split(SLASH) if x not in ('.', '..')]
                       ^
SyntaxError: invalid syntax

And the package won't install

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux gandalf 2.4.18-386 #2 Sun Apr 14 10:38:08 EST 2002 i586
Locale: LANG=C, LC_CTYPE=C

Versions of packages mailman depends on:
ii apache 1.3.26-0woody6 Versatile, high-performance HTTP s
ii apache [httpd] 1.3.26-0woody6 Versatile, high-performance HTTP s
ii cron 3.0pl1-72 management of regular background p
ii debconf 1.2.23 Debian configuration management sy
ii libc6 2.2.5-11.8 GNU C Library: Shared libraries an
ii logrotate 3.5.9-8 Log rotation utility
ii postfix [mail-transport 1.1.11-0.woody3 A high-performance mail transport
ii python-base [python] 1.5.2-10potato11 An interactive object-oriented scr

Revision history for this message
Tollef Fog Heen (tfheen) wrote :

We don't have this version in Warty at all, so resolving as notwarty.

Revision history for this message
In , Tollef Fog Heen (tfheen) wrote : tagging 296119, merging 294647 296119

# Automatically generated email from bts, devscripts version 2.8.6
tags 296119 + woody
merge 294647 296119

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Mon, 21 Feb 2005 09:33:35 +0100
From: Tollef Fog Heen <email address hidden>
To: <email address hidden>
Subject: tagging 296119, merging 294647 296119

# Automatically generated email from bts, devscripts version 2.8.6
tags 296119 + woody
merge 294647 296119

Revision history for this message
In , Tollef Fog Heen (tfheen) wrote : [Martin Schulze] [SECURITY] [DSA 674-3] New mailman packages really fix several vulnerabilities
Download full text (6.2 KiB)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 674-3 <email address hidden>
http://www.debian.org/security/ Martin Schulze
February 21st, 2005 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : mailman
Vulnerability : cross-site scripting, directory traversal
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2004-1177 CAN-2005-0202

Due to an incompatibility between Python 1.5 and 2.1 the last mailman
update did not run with Python 1.5 anymore. This problem is corrected
with this update. This advisory only updates the packages updated
with DSA 674-2. The version in unstable is not affected since it is
not supposed to work with Python 1.5 anymore. For completeness below
is the original advisory text:

  Two security related problems have been discovered in mailman,
  web-based GNU mailing list manager. The Common Vulnerabilities and
  Exposures project identifies the following problems:

  CAN-2004-1177

      Florian Weimer discovered a cross-site scripting vulnerability in
      mailman's automatically generated error messages. An attacker
      could craft an URL containing JavaScript (or other content
      embedded into HTML) which triggered a mailman error page that
      would include the malicious code verbatim.

  CAN-2005-0202

      Several listmasters have noticed unauthorised access to archives
      of private lists and the list configuration itself, including the
      users passwords. Administrators are advised to check the
      webserver logfiles for requests that contain "/...../" and the
      path to the archives or cofiguration. This does only seem to
      affect installations running on web servers that do not strip
      slashes, such as Apache 1.3.

For the stable distribution (woody) these problems have been fixed in
version 2.0.11-1woody11.

We recommend that you upgrade your mailman package.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody11.dsc
      Size/MD5 checksum: 597 2bd1ff64a1bdaa6655656c5ec2b10db8
    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody11.diff.gz
      Size/MD5 checksum: 33161 6b4be5023a62ba488398a174bd9139fe
    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11.orig.tar.gz
      Size/MD5 checksum: 415129 915264cb1ac8d7b78ea9eff3ba38ee04

  Alpha architecture:

    http://security.debian.org/pool...

Read more...

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (9.2 KiB)

Message-ID: <email address hidden>
Date: Mon, 21 Feb 2005 11:54:47 +0100
From: Tollef Fog Heen <email address hidden>
To: <email address hidden>
Subject: [Martin Schulze] [SECURITY] [DSA 674-3] New mailman packages really
 fix several vulnerabilities

--=-=-=
Content-Type: message/rfc822
Content-Disposition: inline

Return-path: <email address hidden>
Envelope-to: <email address hidden>
Delivery-date: Mon, 21 Feb 2005 11:46:02 +0100
Received: from [194.24.252.201] (helo=gamma.hardware.no)
 by vawad.err.no with esmtp (TLS-1.0:RSA_ARCFOUR_SHA:16) (Exim 4.34) id 1D3B4f-0002lB-LF
 for <email address hidden>; Mon, 21 Feb 2005 11:46:01 +0100
Received: from murphy.debian.org ([146.82.138.6]) by gamma.hardware.no with esmtp (Exim 4.30)
 id 1D3B4H-0004S9-T3 for <email address hidden>; Mon, 21 Feb 2005 11:45:34 +0100
Received: from localhost (localhost [127.0.0.1]) by murphy.debian.org (Postfix) with QMQP
 id 842AD2E666; Mon, 21 Feb 2005 04:37:24 -0600 (CST)
Old-Return-Path: <email address hidden>
X-Original-To: <email address hidden>
Received: from luonnotar.infodrom.org (luonnotar.infodrom.org [195.124.48.78])
 by murphy.debian.org (Postfix) with ESMTP id 361AB2DF31
 for <email address hidden>; Mon, 21 Feb 2005 04:37:22 -0600 (CST)
Received: by luonnotar.infodrom.org (Postfix, from userid 10)
 id 84B30366CC5; Mon, 21 Feb 2005 11:37:25 +0100 (CET)
Received: at Infodrom Oldenburg (/\##/\ Smail-3.2.0.102 1998-Aug-2 #2)
 from infodrom.org by finlandia.Infodrom.North.DE via smail from stdin
 id <email address hidden>
 for <email address hidden>; Mon, 21 Feb 2005 11:29:17 +0100 (CET)
Message-Id: <email address hidden>
Date: Mon, 21 Feb 2005 11:29:17 +0100 (CET)
To: <email address hidden> (Debian Security
 Announcements)
From: <email address hidden> (Martin Schulze)
User-Agent: dsa-launch $Revision: 1.17 $
X-Debian: PGP check passed for security officers
Subject: [SECURITY] [DSA 674-3] New mailman packages really fix several
 vulnerabilities
Priority: urgent
Reply-To: <email address hidden>
Resent-Message-ID: <v_P6tB.A.WjB.knbGCB@murphy>
Resent-From: <email address hidden>
X-Mailing-List: <email address hidden>
X-Loop: <email address hidden>
List-Id: <debian-security-announce.lists.debian.org>
List-Post: <mailto:<email address hidden>>
List-Help: <mailto:<email address hidden>?subject=help>
List-Subscribe: <mailto:<email address hidden>?subject=subscribe>
List-Unsubscribe: <mailto:<email address hidden>?subject=unsubscribe>
List-Archive: <http://lists.debian.org/debian-security-announce/>
Precedence: list
Resent-Sender: <email address hidden>
Resent-Date: Mon, 21 Feb 2005 04:37:24 -0600 (CST)
X-Spam-Status: (score 0.0): Status=No hits=0.0 required=5.0 tests=none
 version=3.0.2
MIME-Version: 1.0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------...

Read more...

Bug Watch Updater (bug-watch-updater)
Changed in mailman:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.