Re: pkg/34567: [update] mail/mailman (security fixes)

[Martin Wilke <netbsd%unixfreunde.de@localhost>]

On Wed, 20 Sep 2006 15:10:03 +0000 (UTC)
Lubomir Sedlacik <salo%Xtrmntr.org@localhost> wrote:

> The following reply was made to PR pkg/34567; it has been noted by
> GNATS.
> 
> From: Lubomir Sedlacik <salo%Xtrmntr.org@localhost>
> To: gnats-bugs%NetBSD.org@localhost
> Cc: 
> Subject: Re: pkg/34567: [update] mail/mailman (security fixes)
> Date: Wed, 20 Sep 2006 17:08:39 +0200
> 
>  --O5XBE6gyVG5Rl6Rj
>  Content-Type: text/plain; charset=us-ascii
>  Content-Disposition: inline
>  Content-Transfer-Encoding: quoted-printable
>  
>  On Wed, Sep 20, 2006 at 02:00:01PM +0000, Martin Wilke wrote:
>  > >Synopsis:       [update] mail/mailman (security fixes)
>  > >Description:
>  > Update to 2.1.9
>  >=20
>  > Changes:
>  >   Security
>  >=20
>  >     - A malicious user could visit a specially crafted URI and
>  > inject an apparent log message into Mailman's error log which
>  > might induce an unsuspecting administrator to visit a phishing
>  > site.  This has been blocked.  Thanks to Moritz Naumann for its
>  > discovery.
>  >=20
>  >     - Fixed denial of service attack which can be caused by some
>  >       standards-breaking RFC 2231 formatted headers.
>  > CVE-2006-2941.
>  >=20
>  >     - Several cross-site scripting issues have been fixed.  Thanks
>  > to Mor=
>  itz
>  >       Naumann for their discovery.  CVE-2006-3636
>  >=20
>  >     - Fixed an unexploitable format string vulnerability.
>  > Discovery and =
>  fix
>  >       by Karl Chen.  Analysis of non-exploitability by Martin
>  > 'Joey' Schu=
>  lze.
>  >       Also thanks go to Lionel Elie Mamane.  CVE-2006-2191.
>  
>  all these fixes are already included in pkgsrc, with the 2.1.9rc1
>  update.
Doh sorry my tree is to old :(

>  
>  >   Internationalization
>  >=20
>  >     - New languages: Arabic, Vietnamese.
>  >=20
>  >   Bug fixes and other patches
>  >=20
>  >     - Fixed Decorate.py so that characters in message
>  > header/footer which are not in the character set of the list's
>  > language are ignored rat=
>  her
>  >       than causing shunted messages (1507248).
>  >=20
>  >     - Switchboard.py - Closed very tiny holes at the upper ends of
>  > queue slices that could result in unprocessable queue entries.
>  > Improved =
>  FIFO
>  >       processing when two queue entries have the same timestamp.
>  
>  are there actually _any_ differences to 2.1.9rc1?
>  your patch is against an older version, too.
>  

Yes, here is a new patch 
http://people.freebsd.org/~miwi/netbsd/mailman.diff

>  
>  regards,
- Martin
>  
>  --=20
>  -- Lubomir Sedlacik <salo@{NetBSD,Xtrmntr,silcnet}.org>   --
>  
>  --O5XBE6gyVG5Rl6Rj
>  Content-Type: application/pgp-signature
>  Content-Disposition: inline
>  
>  -----BEGIN PGP SIGNATURE-----
>  Version: GnuPG v1.4.5 (NetBSD)
>  
>  iD8DBQFFEVl3iwjDDlS8cmMRAu/KAJ9DvC/cou7/t8Z2/i9rlLKh+BhLJwCeO63/
>  42MJjkEIlP4HRy4zWAXjEdQ=
>  =0N2A
>  -----END PGP SIGNATURE-----
>  
>  --O5XBE6gyVG5Rl6Rj--
>