-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                   ESB-2008.0279 -- [UNIX/Linux][Ubuntu]
                           mailman vulnerability
                               17 March 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              mailman
Publisher:            Ubuntu
Operating System:     Ubuntu
                      UNIX variants (UNIX, Linux, OSX)
Impact:               Cross-site Scripting
Access:               Existing Account
CVE Names:            CVE-2008-0564

Original Bulletin:    http://www.ubuntu.com/usn/usn-586-1

Comment: This advisory references vulnerabilities in products which run on
         platforms other than Ubuntu. It is recommended that administrators
         running Mailman check for an updated version of the software for
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

=========================================================== 
Ubuntu Security Notice USN-586-1             March 15, 2008
mailman vulnerability
CVE-2008-0564
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  mailman                         2.1.5-9ubuntu4.2

Ubuntu 6.10:
  mailman                         1:2.1.8-2ubuntu2.1

Ubuntu 7.04:
  mailman                         1:2.1.9-4ubuntu1.2

Ubuntu 7.10:
  mailman                         1:2.1.9-8ubuntu0.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.

NOTE: Due to an internal release testing mistake, earlier
published mailman versions 1:2.1.9-4ubuntu1.1 (for Ubuntu
7.04) and 1:2.1.9-8ubuntu0.1 (for Ubuntu 7.10) accidentally
included an incorrect patch and caused a regression, as reported in
https://launchpad.net/bugs/202332

This update includes fixes for the problem.  We apologize for the
inconvenience.

Details follow:

Multiple cross-site scripting flaws were discovered in mailman.
A malicious list administrator could exploit this to execute arbitrary
JavaScript, potentially stealing user credentials.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2.diff.gz
      Size/MD5:   231090 d3e7124adf9454e2754e41c98df1a79c
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2.dsc
      Size/MD5:      626 0ac6344f31b1fd756ff3c724a059c907
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5.orig.tar.gz
      Size/MD5:  5745912 f5f56f04747cd4aff67427e7a45631af

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2_amd64.deb
      Size/MD5:  6613254 72d9727b248c5e8ac1ffe6699989b546

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2_i386.deb
      Size/MD5:  6612872 6fa80a2c5f9fb4ef86fc37f5948eb7ea

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2_powerpc.deb
      Size/MD5:  6621726 45ad75a62c903f80ccaed21d8bff8e0f

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.2_sparc.deb
      Size/MD5:  6620818 7dc3bc18e981e78fa7d9e18bda151ecc

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1.diff.gz
      Size/MD5:   203009 ee4a019ea676c82f040bad51a13f2a04
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1.dsc
      Size/MD5:      819 53355a3ca08c288d785123da51dbb10e
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8.orig.tar.gz
      Size/MD5:  6856039 b9308ea3ffe8dd447458338408d46bd6

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1_amd64.deb
      Size/MD5:  8017888 34628b56f38515676c840c10f2aa100d

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1_i386.deb
      Size/MD5:  8016276 18b60f0774f2f664d5505391834ed0c6

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1_powerpc.deb
      Size/MD5:  8025122 20b2783ab25dd270751211463fdedc77

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.8-2ubuntu2.1_sparc.deb
      Size/MD5:  8023672 02dd507266718e196abef08311a995b5

Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ubuntu1.2.diff.gz
      Size/MD5:   142531 2e32aeebcbf3d45e498d4241bf1cf0c8
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ubuntu1.2.dsc
      Size/MD5:      981 0c8c78087bcf0213f17013c94fea9764
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9.orig.tar.gz
      Size/MD5:  7829201 dd51472470f9eafb04f64da372444835

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ubuntu1.2_amd64.deb
      Size/MD5:  8606862 74502c6c9e9a8bb277c6f741abd46541

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ubuntu1.2_i386.deb
      Size/MD5:  8605384 46330ecad45d07957ac827e5f8e944e2

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ubuntu1.2_powerpc.deb
      Size/MD5:  8617812 08c3457654498fb0e944c6900c1111fa

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-4ubuntu1.2_sparc.deb
      Size/MD5:  8616850 d847a99c6173ffa101f5986cfd9ce9cf

Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-8ubuntu0.2.diff.gz
      Size/MD5:   151248 242099c74ff77d643fab04b0aeffee33
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-8ubuntu0.2.dsc
      Size/MD5:     1032 97fd7fe28a0f1d32b95c3afd9cf1946a
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9.orig.tar.gz
      Size/MD5:  7829201 dd51472470f9eafb04f64da372444835

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-8ubuntu0.2_amd64.deb
      Size/MD5:  8613496 982f4c248795c6555bdb62a0747a429d

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-8ubuntu0.2_i386.deb
      Size/MD5:  8611448 94ad8c328a6367196dffcd38f3a56d17

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-8ubuntu0.2_powerpc.deb
      Size/MD5:  8627854 a0b4e25a6c5892b77845f192e8d0ae70

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-8ubuntu0.2_sparc.deb
      Size/MD5:  8626282 2f318a3fc2a9bd1e50e4df96e15bdad1

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBR93XGyh9+71yA2DNAQKk+wQAmEDbyYzQUoXPFHy/BACObgHWmpVZOu6A
CdOiPAaVmeGr8zULPCnL4PB02jDkmf+a3p4BCtbkuNzFe4IU5PW96Kv0YCUEC5uO
g5sgx+u9rdltmJZmXCgTrxMjvPXAGA7KEG7iq29Ug3KULNvxV/AvcGeoCcl42fJg
QPOgLxW91yk=
=1uFY
-----END PGP SIGNATURE-----