Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 152895 - CAN-2005-0202 Mailman directory traversal
Summary: CAN-2005-0202 Mailman directory traversal
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: mailman
Version: unspecified
Hardware: All
OS: Linux
high
medium
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
URL: https://rhn.redhat.com/errata/RHSA-20...
Whiteboard: 1, LEGACY, QA, rh73, rh90
: 152667 152735 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-02-10 12:15 UTC by Jeff Sheltren
Modified: 2007-03-27 04:29 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-07-10 21:29:05 UTC


Attachments (Terms of Use)

Description David Lawrence 2005-03-30 23:31:17 UTC
Created an SRPM using patch from RHEL3 and SRPM from FC1.

http://www.cs.ucsb.edu/~jeff/mailman-2.1.5-7.legacy.src.rpm

Feel free to use/rebuild as necesary.



------- Additional Comments From dom@earth.li 2005-02-10 09:27:32 ----

QA for RPM in comment 1:

6e4d02c20ca4f3093a4b1ba6b82f3b1533ccfeab  mailman-2.1.5-7.legacy.src.rpm

- spec change good
- patch good
- sources good
- no other changes

PUBLISH fc1



------- Additional Comments From sheltren@cs.ucsb.edu 2005-02-10 11:50:05 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Whoops, guess I should have gpg signed my first message
and added the shasum... well, I'll get used to this eventually :)

I've also taken the most recent legacy mailman release for RH9 and rebuilt
it with the same patch as used in the RHEL update.

It can be found here:
http://www.cs.ucsb.edu/~jeff/mailman-2.1.1-8.legacy.src.rpm

sha1sums for both packages:
2c129fa1352fdd3600b0230a94aab743f3c15bac  mailman-2.1.1-8.legacy.src.rpm
6e4d02c20ca4f3093a4b1ba6b82f3b1533ccfeab  mailman-2.1.5-7.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFCC9b7Ke7MLJjUbNMRAt1eAKCerWibc5iRduGytDhQes0PeHlhlACeLK2w
+A1TQrNhMY+QJ8SgE3Mh2Sk=
=XSBD
-----END PGP SIGNATURE-----



------- Additional Comments From dom@earth.li 2005-02-10 15:20:19 ----

Packages released to updates-testing.

(Jeff: thanks for the rh9 packages; I'd already rolled them by the time you
posted that :)



------- Additional Comments From sheltren@cs.ucsb.edu 2005-02-10 16:22:40 ----

No problem.  Thanks for catching the extra buildreqs for the FC1 package!

----------
* Thu Feb 10 2005 Dominic Hargreaves <dom@earth.li> - 3:2.1.5-8.legacy

- Added python, autoconf and automake build prerequisites
----------



------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-10 19:06:16 ----

*** Bug 2425 has been marked as a duplicate of this bug. ***



------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-10 19:15:32 ----

We seem to be missing rh73 packages here...



------- Additional Comments From madhatter@teaparty.net 2005-02-10 21:55:12 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Package mailman-2.1.1-8.legacy.i386.rpm installs OK on RH9.  Web interface
good: list browsing, list admin, setting moderation bit, moderation (ie,
mail is held pending moderator approval), are all fine.  Sending mail to a
list is also fine.

+VERIFY RH9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCDGSUePtvKV31zw4RAnroAKDI3lWp4lTW+CgIxn5ZNWYh8VUnBgCfXc2X
TrkSlD81CDxRW0aEbfx0Xz8=
=/fFG
-----END PGP SIGNATURE-----




------- Additional Comments From sheltren@cs.ucsb.edu 2005-02-11 05:11:51 ----

Created an attachment (id=993)
Proposed RH 7.3 patch

Makes a similar change as made in the RH9/FC1 patch.  I don't have a 7.3 box to
test it on.



------- Additional Comments From dom@earth.li 2005-02-11 05:17:04 ----

Updated 7.3 packages have been built and are waiting to be transferred to the
download server.



------- Additional Comments From dom@earth.li 2005-02-11 07:53:41 ----

updates-testing RPMS for rh7.3 now available for verification at:

http://www-astro.physics.ox.ac.uk/~dom/legacy/official/redhat/7.3/updates-testing/

Note: I'm not signing this message as I don't have access to me GPG key here,
but the packages are gpg-signed with the FL key. Please check the signature.



------- Additional Comments From bugzilla.fedora.us@beej.org 2005-03-01 23:13:21 ----

are the following fixed in the rh73 package?
CVE-2002-0389
CVE-2003-0991
CAN-2004-1143
CAN-2004-1177



------- Additional Comments From dom@earth.li 2005-03-04 07:25:26 ----

Re comment 11, can't remember offhand, all the packages currently in
updates-testing are rebuilds of RHEL updates. ISTR that some of those CANs are
quite minor in inpact and so people haven't bothered to fix them.



------- Additional Comments From pizza@shaftnet.org 2005-03-06 03:56:34 ----

I'm using this in production on a FC1 box.  Everything seems to work so far.

+VERIFY FC1



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:31 -------

This bug previously known as bug 2419 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2419
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
Proposed RH 7.3 patch
https://bugzilla.fedora.us/attachment.cgi?action=view&id=993

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.



Comment 1 Marc Deslauriers 2005-04-05 22:47:27 UTC
*** Bug 152735 has been marked as a duplicate of this bug. ***

Comment 2 Marc Deslauriers 2005-04-05 22:48:26 UTC
*** Bug 152667 has been marked as a duplicate of this bug. ***

Comment 3 Pekka Savola 2005-06-16 12:39:12 UTC
2 VERIFY votes, timeouts in 2 weeks.

Comment 4 Pekka Savola 2005-07-01 18:37:47 UTC
Timeout over, to be released.

Comment 5 Marc Deslauriers 2005-07-10 21:29:05 UTC
Packages were officially released.


Note You need to log in before you can comment on or make changes to this bug.