-
mailman (2.1.5-7ubuntu0.3) hoary-security; urgency=low
* SECURITY UPDATE: XSS.
* Add debian/patches/security-CVE-2006-3636-XSS.dpatch:
- Fix various cross-site scripting vulnerabilities.
- Patch backported from svn head, thanks to Barry Warsaw for preparing it.
- CVE-2006-3636
* Add debian/patches/security-CVE-2006-2941.dpatch:
- Scrubber.py: Do not bail out if emails' get_filename() throws a
ValueError. This has been properly fixed in the next upstream email
package (in Python core), but the fix is very intrusive. Thanks to Steve
Alexander for discovering this and for the proposed patch.
- CVE-2006-2941
- Closes: LP#49620
* Add debian/patches/security-error_log.dpatch:
- Check characters in URL to prevent injecting bogus messages into
error_log.
- Patch taken from upstream SVN:
http://svn.sourceforge.net/viewvc/mailman?view=rev&revision=7918
-- Martin Pitt <email address hidden> Tue, 12 Sep 2006 20:46:52 +0000
-
mailman (2.1.5-7ubuntu0.2) hoary-security; urgency=low
* Security update: Remote DoS.
* Add debian/patches/72_mime_None_payload.dpatch:
- Do not crash if python's email module returns None for the payload of a
MIME part. This can happen for message/delivery-status or parts that
contain only two blank lines.
- See upstream bug reports and CVS patch:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1430236&group_id=103
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1099138&group_id=103
http://cvs.sourceforge.net/viewcvs.py/mailman/mailman/Mailman/
Handlers/Scrubber.py?r1=2.18.2.22&r2=2.18.2.23&diff_format=u
* CVE-2006-0052
-- Martin Pitt <email address hidden> Mon, 3 Apr 2006 13:04:10 +0000
-
mailman (2.1.5-7ubuntu0.1) hoary-security; urgency=low
* SECURITY UPDATE: Remote DoS.
* Add debian/patches/70_invalid_utf8_dos.dpatch:
- Do not crash on attachment filenames with invalid UTF-8 encoded name.
- Thanks to Lionel Elie Mamane <email address hidden> for preparing the
patch.
- CVE-2005-3573
* Add debian/patches/71_invalid_date_dos.dpatch:
- Do not crash on mails with specially crafted dates which generate an
OverflowError exception.
- CVE-2005-4153
-- Martin Pitt <email address hidden> Mon, 16 Jan 2006 09:46:45 +0000
-
mailman (2.1.5-7) unstable; urgency=high
* Brown bag release -- use '/' instead of the undefined SLASH in
Cgi/private.py. (closes: #294874)
* Handle the case of non-ascii chars in realname. (closes: #293861)
* Fix up typo in cron script (closes: #284311)
* Use head -n 1 instead of cat for getting the mailname out of
/etc/mailname. (closes: #287636)
-- Tollef Fog Heen <email address hidden> Wed, 16 Feb 2005 20:29:00 +0100
