[Pkg-mailman-hackers] Re: [mm-deb] Bug#244181: CAN-2004-0182: DoSsable through message with an empty subject field
Siggy Brentrup
244181@bugs.debian.org, pkg-mailman-hackers@lists.alioth.debian.org
Sat, 17 Apr 2004 14:11:51 +0200
--ZGiS0Q5IWpPtfppv
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sat, Apr 17, 2004 at 01:14:43PM +0200, J.H.M. Dassen (Ray) wrote:
> On Sat, Apr 17, 2004 at 10:48:51 +0200, GCS wrote:
> > Mea culpa, I was too fast on responding this. Isn't it a duplicate of
> > #232079?
>=20
> I'm fairly sure it isn't.
>=20
> > See the changelog entry for 2.0.11-1woody8:
> > -- cut --
> > * Non-maintainer upload by the Security Team
> > * Fix a bug introduced in 2.0.11-1woody7
>=20
> Although it isn't mentioned explicitly, the phrasing suggest that this wa=
s a
> bug in how CAN-2003-0038, CAN-2003-0965 and/or CAN-2003-0991 were fixed in
> the Debian mailman package (as opposed to a bug in how these were address=
ed
> upstream).
>=20
> The issue I filed this bug for has a different CVE id (CAN-2004-0182) and
> has been addressed by a different distribution (Red Hat) already, which
> implies it isn't Debian-specific.
>=20
> > which caused a crash on messages with no Subject header at all
> > (Closes: #232079)
>=20
> Notice the "no Subject header at all" as opposed to the "empty subject
> field" in CAN-2004-0182 for which I filed this bug.
IMHO the proper solution is to upgrade to MM 2.0.14. Quoting its NEWS file:
| Here is a history of user visible changes to Mailman.
|=20
| 2.0.14 (08-Feb-2004)
|=20
| - Fixed CAN-2003-0991, a denial-of-service vulnerability in the mail
| command handler.
|=20
| - Fixed a small bug in the mail->news gateway.
|=20
| 2.0.13 (29-Jul-2002)
|=20
| - Fixed some Python 1.5.2 compatibility problems that crept into
| Mailman 2.0.12.
|=20
| - Fixed some configure script incompatibilities on certain
| platforms.
|=20
| 2.0.12 (02-Jul-2002)
|=20
| - Implemented a guard against some reply loops and 'bot
| subscription attacks. Specifically, if a message to -request
| has a Precedence: bulk (or list, or junk) header, the command is
| ignored. Well-behaved 'bots should always include such a
| header.
|=20
| - Changes to the configure script so that you can pass in the mail
| host and web host by setting the environment variables MAILHOST
| and WWWHOST respectively. configure will also exit if it can't
| figure out these values (usually due to broken dns).
|=20
| - Closed another minor cross-site scripting vulnerability.
|
I'll build mailman-2.0.14-1woody1 as soon as I get an OK from the security =
team.
Thanks
. Siggy
--ZGiS0Q5IWpPtfppv
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAgR8H94B/SGO8KQcRAq+LAKDRbi9dGV8l5lGTTnZrnHToZiniIQCeIdV2
mRLCJfsC8XcXDzxL7xyfpeU=
=UHnC
-----END PGP SIGNATURE-----
--ZGiS0Q5IWpPtfppv--