Subject: Re: Mailman vulnerability
To: Lubomir Sedlacik <>
From: Steven M. Bellovin <>
List: current-users
Date: 12/10/2005 10:29:33
In message <>, Lubomir Sedlacik writes:

>On Sat, Dec 10, 2005 at 09:29:06AM -0500, D'Arcy J.M. Cain wrote:
>> On Sat, 10 Dec 2005 09:07:09 -0500 Steven M. Bellovin wrote:
>> > I was poking around the Mailman site a few days ago, and did not see
>> > any official fix for it there.  We'd have to import the Debian fix
>> > mentioned in the advisory.
>> That's my point.  It looks like we already did but it still complains.
>how old is your pkg-vulnerabilities file?  the version number was
>corrected after the fix was commited in revision 1.1245.

I still see the problem with 1.1252.
>and why is this discussed on current-users?  please contact the pkgsrc
>security team at pkgsrc-security@ when in doubt about
>pkg-vulnerabilities and related issues.  thanks,

Added to my cc list; current-users kept because that's where the issue 
was raised.

# ident /usr/pkgsrc/distfiles/pkg-vulnerabilities  
     $NetBSD: pkg-vulnerabilities,v 1.1252 2005/12/09 00:10:01 adrianp Exp $
# grep 'mailman.*1542' /usr/pkgsrc/distfiles/pkg-vulnerabilities
mailman<2.6.1nb1        1542,denial-of-service
# pwd
# cvs -q update -P -d
# make
===> Checking for vulnerabilities in mailman-2.1.6nb1
*** WARNING - 1542,denial-of-service vulnerability in mailman-2.1.6nb1 - see htt
p:// for more information ***
or define ALLOW_VULNERABLE_PACKAGES if this package is absolutely essential
*** Error code 1

make: stopped in /usr/pkgsrc/mail/mailman
*** Error code 1

make: stopped in /usr/pkgsrc/mail/mailman