Subject: Re: pkg/34567: [update] mail/mailman (security fixes)
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: Lubomir Sedlacik <salo@Xtrmntr.org>
List: pkgsrc-bugs
Date: 09/20/2006 15:10:03
The following reply was made to PR pkg/34567; it has been noted by GNATS.

From: Lubomir Sedlacik <salo@Xtrmntr.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: pkg/34567: [update] mail/mailman (security fixes)
Date: Wed, 20 Sep 2006 17:08:39 +0200

 --O5XBE6gyVG5Rl6Rj
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On Wed, Sep 20, 2006 at 02:00:01PM +0000, Martin Wilke wrote:
 > >Synopsis:       [update] mail/mailman (security fixes)
 > >Description:
 > Update to 2.1.9
 >=20
 > Changes:
 >   Security
 >=20
 >     - A malicious user could visit a specially crafted URI and inject an
 >       apparent log message into Mailman's error log which might induce an
 >       unsuspecting administrator to visit a phishing site.  This has been
 >       blocked.  Thanks to Moritz Naumann for its discovery.
 >=20
 >     - Fixed denial of service attack which can be caused by some
 >       standards-breaking RFC 2231 formatted headers.  CVE-2006-2941.
 >=20
 >     - Several cross-site scripting issues have been fixed.  Thanks to Mor=
 itz
 >       Naumann for their discovery.  CVE-2006-3636
 >=20
 >     - Fixed an unexploitable format string vulnerability.  Discovery and =
 fix
 >       by Karl Chen.  Analysis of non-exploitability by Martin 'Joey' Schu=
 lze.
 >       Also thanks go to Lionel Elie Mamane.  CVE-2006-2191.
 
 all these fixes are already included in pkgsrc, with the 2.1.9rc1
 update.
 
 >   Internationalization
 >=20
 >     - New languages: Arabic, Vietnamese.
 >=20
 >   Bug fixes and other patches
 >=20
 >     - Fixed Decorate.py so that characters in message header/footer which
 >       are not in the character set of the list's language are ignored rat=
 her
 >       than causing shunted messages (1507248).
 >=20
 >     - Switchboard.py - Closed very tiny holes at the upper ends of queue
 >       slices that could result in unprocessable queue entries.  Improved =
 FIFO
 >       processing when two queue entries have the same timestamp.
 
 are there actually _any_ differences to 2.1.9rc1?
 your patch is against an older version, too.
 
 
 regards,
 
 --=20
 -- Lubomir Sedlacik <salo@{NetBSD,Xtrmntr,silcnet}.org>   --
 
 --O5XBE6gyVG5Rl6Rj
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.5 (NetBSD)
 
 iD8DBQFFEVl3iwjDDlS8cmMRAu/KAJ9DvC/cou7/t8Z2/i9rlLKh+BhLJwCeO63/
 42MJjkEIlP4HRy4zWAXjEdQ=
 =0N2A
 -----END PGP SIGNATURE-----
 
 --O5XBE6gyVG5Rl6Rj--