-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2010:191 http://www.mandriva.com/security/ _______________________________________________________________________ Package : mailman Date : October 1, 2010 Affected: 2008.0, 2009.0, 2009.1, 2010.0, 2010.1, Corporate 4.0, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been found and corrected in mailman: Multiple cross-site scripting (XSS) vulnerabilities in GNU Mailman before 2.1.14rc1 allow remote authenticated users to inject arbitrary web script or HTML via vectors involving (1) the list information field or (2) the list description field (CVE-2010-3089). Packages for 2008.0 and 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490 The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3089 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.0: e08b1d9a020747ab70982e13a105bb48 2008.0/i586/mailman-2.1.9-2.2mdv2008.0.i586.rpm 749c76d1c7e7f4282b7ffbae1e442763 2008.0/SRPMS/mailman-2.1.9-2.2mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: e3bc59b996c69c2721a712ebb794921f 2008.0/x86_64/mailman-2.1.9-2.2mdv2008.0.x86_64.rpm 749c76d1c7e7f4282b7ffbae1e442763 2008.0/SRPMS/mailman-2.1.9-2.2mdv2008.0.src.rpm Mandriva Linux 2009.0: 21de029e60fc9b80988dff7898ca8658 2009.0/i586/mailman-2.1.11-1.1mdv2009.0.i586.rpm f97873131d08c4325a898ab7a715351d 2009.0/SRPMS/mailman-2.1.11-1.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 7c163192b300d72f301383c395da3b66 2009.0/x86_64/mailman-2.1.11-1.1mdv2009.0.x86_64.rpm f97873131d08c4325a898ab7a715351d 2009.0/SRPMS/mailman-2.1.11-1.1mdv2009.0.src.rpm Mandriva Linux 2009.1: 8ca5797ee931ade6c4756a044e9e9ac6 2009.1/i586/mailman-2.1.12-1.1mdv2009.1.i586.rpm 73ac7c0336096a0ee1cbf24520220c27 2009.1/SRPMS/mailman-2.1.12-1.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: f750f959be5916b1995391ccdcebb769 2009.1/x86_64/mailman-2.1.12-1.1mdv2009.1.x86_64.rpm 73ac7c0336096a0ee1cbf24520220c27 2009.1/SRPMS/mailman-2.1.12-1.1mdv2009.1.src.rpm Mandriva Linux 2010.0: a68bf17fb97f611aa5fd07edbfd25622 2010.0/i586/mailman-2.1.12-3.1mdv2010.0.i586.rpm db0d3c48e664467c204d46fb9d5d86c8 2010.0/SRPMS/mailman-2.1.12-3.1mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 32b176fd2c1f8185ae061ca48020211f 2010.0/x86_64/mailman-2.1.12-3.1mdv2010.0.x86_64.rpm db0d3c48e664467c204d46fb9d5d86c8 2010.0/SRPMS/mailman-2.1.12-3.1mdv2010.0.src.rpm Mandriva Linux 2010.1: e83ec834da21aaa9ac825b9dcca38066 2010.1/i586/mailman-2.1.13-1.1mdv2010.1.i586.rpm 23adc2d02aa602f4195d2133b86e68da 2010.1/SRPMS/mailman-2.1.13-1.1mdv2010.1.src.rpm Mandriva Linux 2010.1/X86_64: e93de69f9cccc6d208190ec865b29cd2 2010.1/x86_64/mailman-2.1.13-1.1mdv2010.1.x86_64.rpm 23adc2d02aa602f4195d2133b86e68da 2010.1/SRPMS/mailman-2.1.13-1.1mdv2010.1.src.rpm Corporate 4.0: 309605c757131162e730e8d2e77a0331 corporate/4.0/i586/mailman-2.1.6-6.4.20060mlcs4.i586.rpm 3284f4a4621bd7a6d59ffe9173787a99 corporate/4.0/SRPMS/mailman-2.1.6-6.4.20060mlcs4.src.rpm Corporate 4.0/X86_64: 28250e366a8fab9c50d8e3964d593c9b corporate/4.0/x86_64/mailman-2.1.6-6.4.20060mlcs4.x86_64.rpm 3284f4a4621bd7a6d59ffe9173787a99 corporate/4.0/SRPMS/mailman-2.1.6-6.4.20060mlcs4.src.rpm Mandriva Enterprise Server 5: 6d2706e0f8f9001a673c8141eed8638d mes5/i586/mailman-2.1.11-1.1mdvmes5.1.i586.rpm f45434df800279721a685123da24af21 mes5/SRPMS/mailman-2.1.11-1.1mdvmes5.1.src.rpm Mandriva Enterprise Server 5/X86_64: 3d512d16b23e2bd2af6d9380376dd83c mes5/x86_64/mailman-2.1.11-1.1mdvmes5.1.x86_64.rpm f45434df800279721a685123da24af21 mes5/SRPMS/mailman-2.1.11-1.1mdvmes5.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFMpgM7mqjQ0CJFipgRArhpAKDE37rsSZcf51MGaPoACkGUQwZi3wCeO8Zq GQ4lM7dN1Jf2JsE33x5wVQY= =iHdo -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/