(Please don't hijack old threads about different issues, in particular not without changing the subject line.)
On Wed, Mar 29, 2006 at 08:15:40PM +0100, Steve Kemp wrote: > Package for Sarge at: > http://people.debian.org/~skx/updates/mailman/ > Potential advisory text - need to know which version in sid > will fix it. Sid and etch are not vulnerable; problem was fixed in upstream 2.1.6; etch contains 2.1.7-1; it was fixed in sid (without even realising it) with the upload of 2.1.6-1 on Sun, 25 Dec 2005. Please take this opportunity to retroactively add to the changelog of 2.1.5-8sarge1 that the * Don't die on overflow in date handling, which could lead to a DoS attack (closes: #326024) is CVE-2005-4153. Also add (closes: #358892) to your changelog entry. > Package : mailman > Vulnerability : denial of service > Problem-Type : remote > Debian-specific: no > CVE ID : CVE-2006-0052 Debian Bug : 358892 > A potential denial of service problem has been discovered in mailman, > the web-based GNU mailing list manager. The Common Vulnerabilities and > Exposures project identifies the following problems: We should give more details, because there have been two other DoS vulnerabilities recently, so we don't want people to get confused. I propose something along the lines of: A potential denial of service problem has been discovered in mailman, the web-based GNU mailing list manager. The (failing) parsing of messages with malformed mime multiparts sometimes caused the whole mailing list to become inoperative. > The old stable distribution (woody) is not vulnerable to this issue. > For the unstable distribution (sid) this problem will be fixed soon. -- Lionel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
