[Secure-testing-commits] r8076 - data/CVE

thijs at alioth.debian.org thijs at alioth.debian.org
Tue Feb 5 07:33:04 UTC 2008

Author: thijs
Date: 2008-02-05 07:33:04 +0000 (Tue, 05 Feb 2008)
New Revision: 8076

new mailman XSS issue requires to be authenticated as list admin, which means
you already have a lot of power over the list. No DSA for this issue in itself,
I will take care of updating sid soon.

Modified: data/CVE/list
--- data/CVE/list	2008-02-04 22:41:34 UTC (rev 8075)
+++ data/CVE/list	2008-02-05 07:33:04 UTC (rev 8076)
@@ -1,3 +1,12 @@
+CVE-2008-0564 [mailman xss as list admin]
+	- mailman <unfixed> (low)
+	[etch] - mailman <no-dsa> (Minor issue)
+	[sarge] - mailman <no-dsa> (Minor issue)
+	NOTE: Someone authenticated as list admin can insert malicious script
+	NOTE: into list templates. This already consists of a high degree of
+	NOTE: control over the mailinglist, so not a very important issue.
+	NOTE: This enhances the fix for CVE-2006-3636.
+	NOTE: http://mail.python.org/pipermail/mailman-announce/2008-February/000095.html
 CVE-2008-XXXX [insecure tmp file usage in webwml]
 	- wml <unfixed> (low; bug #463907)
 	[sarge] - wml <not-affected> (Vulnerable code is patched to use mkdtemp)

More information about the Secure-testing-commits mailing list