Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 152895

Summary: CAN-2005-0202 Mailman directory traversal
Product: [Retired] Fedora Legacy Reporter: Jeff Sheltren <sheltren>
Component: mailmanAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: unspecifiedCC: jkeating, marc.deslauriers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: 1, LEGACY, QA, rh73, rh90
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-07-10 21:29:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description David Lawrence 2005-03-30 23:31:17 UTC
Created an SRPM using patch from RHEL3 and SRPM from FC1.

Feel free to use/rebuild as necesary.

------- Additional Comments From 2005-02-10 09:27:32 ----

QA for RPM in comment 1:

6e4d02c20ca4f3093a4b1ba6b82f3b1533ccfeab  mailman-2.1.5-7.legacy.src.rpm

- spec change good
- patch good
- sources good
- no other changes


------- Additional Comments From 2005-02-10 11:50:05 ----

Hash: SHA1

Whoops, guess I should have gpg signed my first message
and added the shasum... well, I'll get used to this eventually :)

I've also taken the most recent legacy mailman release for RH9 and rebuilt
it with the same patch as used in the RHEL update.

It can be found here:

sha1sums for both packages:
2c129fa1352fdd3600b0230a94aab743f3c15bac  mailman-2.1.1-8.legacy.src.rpm
6e4d02c20ca4f3093a4b1ba6b82f3b1533ccfeab  mailman-2.1.5-7.legacy.src.rpm
Version: GnuPG v1.2.4 (Darwin)


------- Additional Comments From 2005-02-10 15:20:19 ----

Packages released to updates-testing.

(Jeff: thanks for the rh9 packages; I'd already rolled them by the time you
posted that :)

------- Additional Comments From 2005-02-10 16:22:40 ----

No problem.  Thanks for catching the extra buildreqs for the FC1 package!

* Thu Feb 10 2005 Dominic Hargreaves <> - 3:2.1.5-8.legacy

- Added python, autoconf and automake build prerequisites

------- Additional Comments From 2005-02-10 19:06:16 ----

*** Bug 2425 has been marked as a duplicate of this bug. ***

------- Additional Comments From 2005-02-10 19:15:32 ----

We seem to be missing rh73 packages here...

------- Additional Comments From 2005-02-10 21:55:12 ----

Hash: SHA1

Package mailman-2.1.1-8.legacy.i386.rpm installs OK on RH9.  Web interface
good: list browsing, list admin, setting moderation bit, moderation (ie,
mail is held pending moderator approval), are all fine.  Sending mail to a
list is also fine.


Version: GnuPG v1.2.6 (GNU/Linux)


------- Additional Comments From 2005-02-11 05:11:51 ----

Created an attachment (id=993)
Proposed RH 7.3 patch

Makes a similar change as made in the RH9/FC1 patch.  I don't have a 7.3 box to
test it on.

------- Additional Comments From 2005-02-11 05:17:04 ----

Updated 7.3 packages have been built and are waiting to be transferred to the
download server.

------- Additional Comments From 2005-02-11 07:53:41 ----

updates-testing RPMS for rh7.3 now available for verification at:

Note: I'm not signing this message as I don't have access to me GPG key here,
but the packages are gpg-signed with the FL key. Please check the signature.

------- Additional Comments From 2005-03-01 23:13:21 ----

are the following fixed in the rh73 package?

------- Additional Comments From 2005-03-04 07:25:26 ----

Re comment 11, can't remember offhand, all the packages currently in
updates-testing are rebuilds of RHEL updates. ISTR that some of those CANs are
quite minor in inpact and so people haven't bothered to fix them.

------- Additional Comments From 2005-03-06 03:56:34 ----

I'm using this in production on a FC1 box.  Everything seems to work so far.


------- Bug moved to this database by 2005-03-30 18:31 -------

This bug previously known as bug 2419 at
Originally filed under the Fedora Legacy product and Package request component.

Proposed RH 7.3 patch

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Marc Deslauriers 2005-04-05 22:47:27 UTC
*** Bug 152735 has been marked as a duplicate of this bug. ***

Comment 2 Marc Deslauriers 2005-04-05 22:48:26 UTC
*** Bug 152667 has been marked as a duplicate of this bug. ***

Comment 3 Pekka Savola 2005-06-16 12:39:12 UTC
2 VERIFY votes, timeouts in 2 weeks.

Comment 4 Pekka Savola 2005-07-01 18:37:47 UTC
Timeout over, to be released.

Comment 5 Marc Deslauriers 2005-07-10 21:29:05 UTC
Packages were officially released.