[Pkg-mailman-hackers] Bug#358575: mailman 2.1.5-8sarge3: screwup between security and maintainer upload

Lionel Elie Mamane lionel at mamane.lu
Wed Sep 6 10:03:34 UTC 2006 

Hi,

let a be an architecture in sarge. Then one of the following holds for
mailman in sarge r3:

 - it is affected by a security problem.

 - it has a severity critical bug.

Mailman in sid:

 - may or may not suffer of a security problem

A security problem in Mailman in sarge patched in May has _not_ been
issued a DSA.

Details:


There seems to have been a screw-up in handling of mailman security
and stable updates: There are two different mailman packages in Debian
with version number 2.1.5-8sarge3.

History, in chronological order:

 -8sarge2 security update to fix:
  potential DoS attack with malformed multi-part messages (closes: #358892) [CVE-2006-0052]

 -8sarge3 maintainer update (that got frozen waiting for -8sarge2 to
  happen in order not to conflict with it) to fix bug #358575, a
  severity critical bug.

  Uploaded to stable-proposed-updates in the night from 11 to 12
  April 2006, where it created problems because -8sarge1 was to be
  going in sarge r2, and having -8sarge3 appear confused
  everything. Stable update team says something along the lines of
  "will consider for sarge r3".

 -8sarge3 security update to fix:
  formt string vulnerability [src/common.c, debian/patches/72_CVE-2006-2191.dpatch]

  That security update has not been announced by a DSA, and cannot be
  downloaded from
  http://security.debian.org/pool/updates/main/m/mailman/ .

  I don't have access to the source of this package. It was apparently
  prepared by Martin "Joey" Schulze on 13 May 2006.


As a maintainer of Mailman, I have no recollection of being notified
of CVE-2006-2191 (it is possible I have missed the notification, but
my email archives do not contain anything relevant with subject
"mailman" and 2191 in the body); the CVE entry at mitre.org contains
no information. I have no idea whether this security problem affects
the version in sid or not, I have no precise information _what_ this
security problem is.

The situation right now:

 - sarge r3 contains mailman 2.1.5-8sarge3, but some architectures
   have the security update (such as i386) and others have the
   maintainer update (such as source, sparc and alpha).

   Thus all architectures are screwed up in one way or the other.

 - mailman 2.1.5-8sarge3 the security update is not publicly
   available, except for a few "select" architectures in binary form
   only (no source).


So, please, security team, tell us about CVE-2006-2191. If
appropriate, issue a DSA about it, for a package under version number
-8sarge4, built on top of -8sarge3 the maintainer update. Please give
us (the mailman-in-Debian maintainers) the information needed to fix
CVE-2006-2191 in sid, or make a retroactive note in the changelog to
note when it was fixed by a new upstream version.


Stable release team, please react accordingly; you may for example do
a binary sourceless NMU for the architectures that have -8sarge3 the
security update so that they all have -8sarge3 the maintainer update.



Thank you in advance for your participation in untangling that mess,

-- 
Lionel Elie Mamane

More information about the Pkg-mailman-hackers mailing list