diff -u mailman-2.1.8/debian/changelog mailman-2.1.8/debian/changelog
--- mailman-2.1.8/debian/changelog
+++ mailman-2.1.8/debian/changelog
@@ -1,3 +1,18 @@
+mailman (1:2.1.8-2ubuntu2.1) edgy-security; urgency=low
+
+  * SECURITY UPDATE:
+   + debian/patches/100_CVE-2008-0564.dpatch (LP: #199338)
+    - Multiple cross-site scripting (XSS) vulnerabilities in Mailman
+      before 2.1.10b1 allow remote attackers to inject arbitrary web 
+      script or HTML via unspecified vectors related to (1) editing 
+      templates and (2) the list's "info attribute" in the web 
+      administrator interface.
+  * References
+   + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0564
+   + http://bugs.gentoo.org/show_bug.cgi?id=208710
+
+ -- Emanuele Gentili <emgent@emanuele-gentili.com>  Fri, 07 Mar 2008 05:56:34 +0100
+
 mailman (1:2.1.8-2ubuntu2) edgy; urgency=low
 
   * SECURITY UPDATE: XSS.
diff -u mailman-2.1.8/debian/patches/00list mailman-2.1.8/debian/patches/00list
--- mailman-2.1.8/debian/patches/00list
+++ mailman-2.1.8/debian/patches/00list
@@ -38,0 +39 @@
+100_CVE-2008-0564
only in patch2:
unchanged:
--- mailman-2.1.8.orig/debian/patches/100_CVE-2008-0564.dpatch
+++ mailman-2.1.8/debian/patches/100_CVE-2008-0564.dpatch
@@ -0,0 +1,251 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 100_CVE-2008-0564.dpatch by Emanuele Gentili <emgent@emanuele-gentili.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+@DPATCH@
+diff -urNad mailman-2.1.8~/Mailman/Cgi/edithtml.py mailman-2.1.8/Mailman/Cgi/edithtml.py
+--- mailman-2.1.8~/Mailman/Cgi/edithtml.py	2008-03-07 05:49:47.000000000 +0100
++++ mailman-2.1.8/Mailman/Cgi/edithtml.py	2008-03-07 05:50:47.000000000 +0100
+@@ -159,7 +159,20 @@
+         doc.AddItem('<hr>')
+         return
+     code = cgi_info['html_code'].value
+-    code = re.sub(r'<([/]?script.*?)>', r'&lt;\1&gt;', code)
++    if Utils.suspiciousHTML(code):
++        doc.AddItem(Header(3,
++           _("""The page you saved contains suspicious HTML that could
++potentially expose your users to cross-site scripting attacks.  This change
++has therefore been rejected.  If you still want to make these changes, you
++must have shell access to your Mailman server.
++             """)))
++        doc.AddItem(_('See '))
++        doc.AddItem(Link(
++'http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq04.048.htp',
++                _('FAQ 4.48.')))
++        doc.AddItem(Header(3,_("Page Unchanged.")))
++        doc.AddItem('<hr>')
++        return
+     langdir = os.path.join(mlist.fullpath(), mlist.preferred_language)
+     # Make sure the directory exists
+     omask = os.umask(0)
+diff -urNad mailman-2.1.8~/Mailman/Gui/GUIBase.py mailman-2.1.8/Mailman/Gui/GUIBase.py
+--- mailman-2.1.8~/Mailman/Gui/GUIBase.py	2005-08-27 03:40:15.000000000 +0200
++++ mailman-2.1.8/Mailman/Gui/GUIBase.py	2008-03-07 05:53:54.000000000 +0100
+@@ -122,10 +122,6 @@
+         # Validate all the attributes for this category
+         pass
+ 
+-    def _escape(self, property, value):
+-        value = value.replace('<', '&lt;')
+-        return value
+-
+     def handleForm(self, mlist, category, subcat, cgidata, doc):
+         for item in self.GetConfigInfo(mlist, category, subcat):
+             # Skip descriptions and legacy non-attributes
+@@ -144,10 +140,9 @@
+             elif not cgidata.has_key(property):
+                 continue
+             elif isinstance(cgidata[property], ListType):
+-                val = [self._escape(property, x.value)
+-                       for x in cgidata[property]]
++                val = [x.value for x in cgidata[property]]
+             else:
+-                val = self._escape(property, cgidata[property].value)
++		val = cgidata[property].value
+             # Coerce the value to the expected type, raising exceptions if the
+             # value is invalid.
+             try:
+diff -urNad mailman-2.1.8~/Mailman/Gui/General.py mailman-2.1.8/Mailman/Gui/General.py
+--- mailman-2.1.8~/Mailman/Gui/General.py	2008-03-07 05:49:47.000000000 +0100
++++ mailman-2.1.8/Mailman/Gui/General.py	2008-03-07 05:52:13.000000000 +0100
+@@ -435,18 +435,21 @@
+             # Convert any html entities to Unicode
+             mlist.subject_prefix = Utils.canonstr(
+                 val, mlist.preferred_language)
++        elif property == 'info':
++            if val <> mlist.info:
++                if Utils.suspiciousHTML(val):
++                    doc.addError(_("""The <b>info</b> attribute you saved
++contains suspicious HTML that could potentially expose your users to cross-site
++scripting attacks.  This change has therefore been rejected.  If you still want
++to make these changes, you must have shell access to your Mailman server.
++This change can be made with bin/withlist or with bin/config_list by setting
++mlist.info.
++                        """))
++                else:
++                    mlist.info = val
+         else:
+             GUIBase._setValue(self, mlist, property, val, doc)
+ 
+-    def _escape(self, property, value):
+-        # The 'info' property allows HTML, but let's sanitize it to avoid XSS
+-        # exploits.  Everything else should be fully escaped.
+-        if property <> 'info':
+-            return GUIBase._escape(self, property, value)
+-        # Sanitize <script> and </script> tags but nothing else.  Not the best
+-        # solution, but expedient.
+-        return re.sub(r'(?i)<([/]?script.*?)>', r'&lt;\1&gt;', value)
+-
+     def _postValidate(self, mlist, doc):
+         if not mlist.reply_to_address.strip() and \
+                mlist.reply_goes_to_list == 2:
+diff -urNad mailman-2.1.8~/Mailman/Utils.py mailman-2.1.8/Mailman/Utils.py
+--- mailman-2.1.8~/Mailman/Utils.py	2006-03-18 18:23:04.000000000 +0100
++++ mailman-2.1.8/Mailman/Utils.py	2008-03-07 05:55:11.000000000 +0100
+@@ -865,3 +865,154 @@
+     except (LookupError, UnicodeError, ValueError, HeaderParseError):
+         # possibly charset problem. return with undecoded string in one line.
+         return EMPTYSTRING.join(s.splitlines())
++
++
++# Patterns and functions to flag possible XSS attacks in HTML.
++# This list is compiled from information at http://ha.ckers.org/xss.html,
++# http://www.quirksmode.org/js/events_compinfo.html,
++# http://www.htmlref.com/reference/appa/events1.htm,
++# http://lxr.mozilla.org/mozilla/source/content/events/src/nsDOMEvent.cpp#59,
++# http://www.w3.org/TR/DOM-Level-2-Events/events.html and
++# http://www.xulplanet.com/references/elemref/ref_EventHandlers.html
++# Many thanks are due to Moritz Naumann for his assistance with this.
++_badwords = [
++    '<i?frame',
++    '<link',
++    '<meta',
++    '<script',
++    r'(?:^|\W)j(?:ava)?script(?:\W|$)',
++    r'(?:^|\W)vbs(?:cript)?(?:\W|$)',
++    r'(?:^|\W)domactivate(?:\W|$)',
++    r'(?:^|\W)domattrmodified(?:\W|$)',
++    r'(?:^|\W)domcharacterdatamodified(?:\W|$)',
++    r'(?:^|\W)domfocus(?:in|out)(?:\W|$)',
++    r'(?:^|\W)dommenuitem(?:in)?active(?:\W|$)',
++    r'(?:^|\W)dommousescroll(?:\W|$)',
++    r'(?:^|\W)domnodeinserted(?:intodocument)?(?:\W|$)',
++    r'(?:^|\W)domnoderemoved(?:fromdocument)?(?:\W|$)',
++    r'(?:^|\W)domsubtreemodified(?:\W|$)',
++    r'(?:^|\W)fscommand(?:\W|$)',
++    r'(?:^|\W)onabort(?:\W|$)',
++    r'(?:^|\W)on(?:de)?activate(?:\W|$)',
++    r'(?:^|\W)on(?:after|before)print(?:\W|$)',
++    r'(?:^|\W)on(?:after|before)update(?:\W|$)',
++    r'(?:^|\W)onbefore(?:(?:de)?activate|copy|cut|editfocus|paste)(?:\W|$)',
++    r'(?:^|\W)onbeforeunload(?:\W|$)',
++    r'(?:^|\W)onbegin(?:\W|$)',
++    r'(?:^|\W)onblur(?:\W|$)',
++    r'(?:^|\W)onbounce(?:\W|$)',
++    r'(?:^|\W)onbroadcast(?:\W|$)',
++    r'(?:^|\W)on(?:cell)?change(?:\W|$)',
++    r'(?:^|\W)oncheckboxstatechange(?:\W|$)',
++    r'(?:^|\W)on(?:dbl)?click(?:\W|$)',
++    r'(?:^|\W)onclose(?:\W|$)',
++    r'(?:^|\W)oncommand(?:update)?(?:\W|$)',
++    r'(?:^|\W)oncomposition(?:end|start)(?:\W|$)',
++    r'(?:^|\W)oncontextmenu(?:\W|$)',
++    r'(?:^|\W)oncontrolselect(?:\W|$)',
++    r'(?:^|\W)oncopy(?:\W|$)',
++    r'(?:^|\W)oncut(?:\W|$)',
++    r'(?:^|\W)ondataavailable(?:\W|$)',
++    r'(?:^|\W)ondataset(?:changed|complete)(?:\W|$)',
++    r'(?:^|\W)ondrag(?:drop|end|enter|exit|gesture|leave|over)?(?:\W|$)',
++    r'(?:^|\W)ondragstart(?:\W|$)',
++    r'(?:^|\W)ondrop(?:\W|$)',
++    r'(?:^|\W)onend(?:\W|$)',
++    r'(?:^|\W)onerror(?:update)?(?:\W|$)',
++    r'(?:^|\W)onfilterchange(?:\W|$)',
++    r'(?:^|\W)onfinish(?:\W|$)',
++    r'(?:^|\W)onfocus(?:in|out)?(?:\W|$)',
++    r'(?:^|\W)onhelp(?:\W|$)',
++    r'(?:^|\W)oninput(?:\W|$)',
++    r'(?:^|\W)onkey(?:up|down|press)(?:\W|$)',
++    r'(?:^|\W)onlayoutcomplete(?:\W|$)',
++    r'(?:^|\W)on(?:un)?load(?:\W|$)',
++    r'(?:^|\W)onlosecapture(?:\W|$)',
++    r'(?:^|\W)onmedia(?:complete|error)(?:\W|$)',
++    r'(?:^|\W)onmouse(?:down|enter|leave|move|out|over|up|wheel)(?:\W|$)',
++    r'(?:^|\W)onmove(?:end|start)?(?:\W|$)',
++    r'(?:^|\W)on(?:off|on)line(?:\W|$)',
++    r'(?:^|\W)onoutofsync(?:\W|$)',
++    r'(?:^|\W)onoverflow(?:changed)?(?:\W|$)',
++    r'(?:^|\W)onpage(?:hide|show)(?:\W|$)',
++    r'(?:^|\W)onpaint(?:\W|$)',
++    r'(?:^|\W)onpaste(?:\W|$)',
++    r'(?:^|\W)onpause(?:\W|$)',
++    r'(?:^|\W)onpopup(?:hidden|hiding|showing|shown)(?:\W|$)',
++    r'(?:^|\W)onprogress(?:\W|$)',
++    r'(?:^|\W)onpropertychange(?:\W|$)',
++    r'(?:^|\W)onradiostatechange(?:\W|$)',
++    r'(?:^|\W)onreadystatechange(?:\W|$)',
++    r'(?:^|\W)onrepeat(?:\W|$)',
++    r'(?:^|\W)onreset(?:\W|$)',
++    r'(?:^|\W)onresize(?:end|start)?(?:\W|$)',
++    r'(?:^|\W)onresume(?:\W|$)',
++    r'(?:^|\W)onreverse(?:\W|$)',
++    r'(?:^|\W)onrow(?:delete|enter|exit|inserted)(?:\W|$)',
++    r'(?:^|\W)onrows(?:delete|enter|inserted)(?:\W|$)',
++    r'(?:^|\W)onscroll(?:\W|$)',
++    r'(?:^|\W)onseek(?:\W|$)',
++    r'(?:^|\W)onselect(?:start)?(?:\W|$)',
++    r'(?:^|\W)onselectionchange(?:\W|$)',
++    r'(?:^|\W)onstart(?:\W|$)',
++    r'(?:^|\W)onstop(?:\W|$)',
++    r'(?:^|\W)onsubmit(?:\W|$)',
++    r'(?:^|\W)onsync(?:from|to)preference(?:\W|$)',
++    r'(?:^|\W)onsyncrestored(?:\W|$)',
++    r'(?:^|\W)ontext(?:\W|$)',
++    r'(?:^|\W)ontimeerror(?:\W|$)',
++    r'(?:^|\W)ontrackchange(?:\W|$)',
++    r'(?:^|\W)onunderflow(?:\W|$)',
++    r'(?:^|\W)onurlflip(?:\W|$)',
++    r'(?:^|\W)seeksegmenttime(?:\W|$)',
++    r'(?:^|\W)svgabort(?:\W|$)',
++    r'(?:^|\W)svgerror(?:\W|$)',
++    r'(?:^|\W)svgload(?:\W|$)',
++    r'(?:^|\W)svgresize(?:\W|$)',
++    r'(?:^|\W)svgscroll(?:\W|$)',
++    r'(?:^|\W)svgunload(?:\W|$)',
++    r'(?:^|\W)svgzoom(?:\W|$)',
++    ]
++
++
++# This is the actual re to look for the above patterns
++_badhtml = re.compile('|'.join(_badwords), re.IGNORECASE)
++# This is used to filter non-printable us-ascii characters, some of which
++# can be used to break words to avoid recognition.
++_filterchars = re.compile('[\000-\011\013\014\016-\037\177-\237]')
++# This is used to recognize '&#' and '%xx' strings for _translate which
++# translates them to characters
++_encodedchars = re.compile('(&#[0-9]+;?)|(&#x[0-9a-f]+;?)|(%[0-9a-f]{2})',
++                           re.IGNORECASE)
++
++
++def _translate(mo):
++    """Translate &#... and %xx encodings into the encoded character."""
++    match = mo.group().lower().strip('&#;')
++    try:
++        if match.startswith('x') or match.startswith('%'):
++            val = int(match[1:], 16)
++        else:
++            val = int(match, 10)
++    except ValueError:
++        return ''
++    if val < 256:
++        return chr(val)
++    else:
++        return ''
++
++
++def suspiciousHTML(html):
++    """Check HTML string for various tags, script language names and
++    'onxxx' actions that can be used in XSS attacks.
++    Currently, this a very simple minded test.  It just looks for
++    patterns without analyzing context.  Thus, it potentially flags lots
++    of benign stuff.
++    Returns True if anything suspicious found, False otherwise.
++    """
++
++    if _badhtml.search(_filterchars.sub(
++                       '', _encodedchars.sub(_translate, html))):
++        return True
++    else:
++        return False