Re: pkg/34567: [update] mail/mailman (security fixes)

[Martin Wilke <netbsd%unixfreunde.de@localhost>]

The following reply was made to PR pkg/34567; it has been noted by GNATS.

From: Martin Wilke <netbsd%unixfreunde.de@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: salo%Xtrmntr.org@localhost, pkg-manager%netbsd.org@localhost, 
gnats-admin%netbsd.org@localhost,
        pkgsrc-bugs%netbsd.org@localhost, "Martin Wilke" 
<miwi%FreeBSD.org@localhost>
Subject: Re: pkg/34567: [update] mail/mailman (security fixes)
Date: Wed, 20 Sep 2006 18:47:18 +0200

 On Wed, 20 Sep 2006 15:10:03 +0000 (UTC)
 Lubomir Sedlacik <salo%Xtrmntr.org@localhost> wrote:
 
 > The following reply was made to PR pkg/34567; it has been noted by
 > GNATS.
 > 
 > From: Lubomir Sedlacik <salo%Xtrmntr.org@localhost>
 > To: gnats-bugs%NetBSD.org@localhost
 > Cc: 
 > Subject: Re: pkg/34567: [update] mail/mailman (security fixes)
 > Date: Wed, 20 Sep 2006 17:08:39 +0200
 > 
 >  --O5XBE6gyVG5Rl6Rj
 >  Content-Type: text/plain; charset=us-ascii
 >  Content-Disposition: inline
 >  Content-Transfer-Encoding: quoted-printable
 >  
 >  On Wed, Sep 20, 2006 at 02:00:01PM +0000, Martin Wilke wrote:
 >  > >Synopsis:       [update] mail/mailman (security fixes)
 >  > >Description:
 >  > Update to 2.1.9
 >  >=20
 >  > Changes:
 >  >   Security
 >  >=20
 >  >     - A malicious user could visit a specially crafted URI and
 >  > inject an apparent log message into Mailman's error log which
 >  > might induce an unsuspecting administrator to visit a phishing
 >  > site.  This has been blocked.  Thanks to Moritz Naumann for its
 >  > discovery.
 >  >=20
 >  >     - Fixed denial of service attack which can be caused by some
 >  >       standards-breaking RFC 2231 formatted headers.
 >  > CVE-2006-2941.
 >  >=20
 >  >     - Several cross-site scripting issues have been fixed.  Thanks
 >  > to Mor=
 >  itz
 >  >       Naumann for their discovery.  CVE-2006-3636
 >  >=20
 >  >     - Fixed an unexploitable format string vulnerability.
 >  > Discovery and =
 >  fix
 >  >       by Karl Chen.  Analysis of non-exploitability by Martin
 >  > 'Joey' Schu=
 >  lze.
 >  >       Also thanks go to Lionel Elie Mamane.  CVE-2006-2191.
 >  
 >  all these fixes are already included in pkgsrc, with the 2.1.9rc1
 >  update.
 Doh sorry my tree is to old :(
 
 >  
 >  >   Internationalization
 >  >=20
 >  >     - New languages: Arabic, Vietnamese.
 >  >=20
 >  >   Bug fixes and other patches
 >  >=20
 >  >     - Fixed Decorate.py so that characters in message
 >  > header/footer which are not in the character set of the list's
 >  > language are ignored rat=
 >  her
 >  >       than causing shunted messages (1507248).
 >  >=20
 >  >     - Switchboard.py - Closed very tiny holes at the upper ends of
 >  > queue slices that could result in unprocessable queue entries.
 >  > Improved =
 >  FIFO
 >  >       processing when two queue entries have the same timestamp.
 >  
 >  are there actually _any_ differences to 2.1.9rc1?
 >  your patch is against an older version, too.
 >  
 
 Yes, here is a new patch 
 http://people.freebsd.org/~miwi/netbsd/mailman.diff
 
 >  
 >  regards,
 - Martin
 >  
 >  --=20
 >  -- Lubomir Sedlacik <salo@{NetBSD,Xtrmntr,silcnet}.org>   --
 >  
 >  --O5XBE6gyVG5Rl6Rj
 >  Content-Type: application/pgp-signature
 >  Content-Disposition: inline
 >  
 >  -----BEGIN PGP SIGNATURE-----
 >  Version: GnuPG v1.4.5 (NetBSD)
 >  
 >  iD8DBQFFEVl3iwjDDlS8cmMRAu/KAJ9DvC/cou7/t8Z2/i9rlLKh+BhLJwCeO63/
 >  42MJjkEIlP4HRy4zWAXjEdQ=
 >  =0N2A
 >  -----END PGP SIGNATURE-----
 >  
 >  --O5XBE6gyVG5Rl6Rj--
 >