Ubuntu Security Notice USN-59-1
10th January, 2005
mailman vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 4.10
Details
Florian Weimer discovered a cross-site scripting vulnerability in
mailman's automatically generated error messages. An attacker could
craft an URL containing JavaScript (or other content embedded into
HTML) which triggered a mailman error page. When an unsuspecting user
followed this URL, the malicious content was copied unmodified to the
error page and executed in the context of this page.
Juha-Matti Tapio discovered an information disclosure in the private
rosters management. Everybody could check whether a specified email
address was subscribed to a private mailing list by looking at the
error message. This bug was Ubuntu/Debian specific.
Important note:
There is currently another known vulnerability: when an user
subscribes to a mailing list without choosing a password, mailman
automatically generates one. However, there are only about 5 million
different possible passwords which allows brute force attacks.
A different password generation algorithm already exists, but is
currently too immature to be put into a stable release security
update. Therefore it is advisable to always explicitly choose a
password for subscriptions, at least until this gets fixed in Warty
Warthog.
See https://bugzilla.ubuntu.com/4892 for details.
Update instructions
The problem can be corrected by updating your system to the following package version:
- Ubuntu 4.10:
- mailman
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
None