Package: hypermail Version: 2.2.0.dfsg-2 Severity: grave Tags: security Justification: user security hole
Hypermail has a cross-site scripting vulnerability in the way it indexes mails. Eg: send a mail with this From address: "<iframe src=//debian.org>" em...@debian.org All the pages indexing this email will have the iframe interprated as html, the message listing under a specific message is also affected. This was discovered by Eduardo Abril who sent <b>pepelotas</b> here: http://archives.neohapsis.com/archives/fulldisclosure/2010-10/index.html Regards -- System Information: Debian Release: 5.0.6 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.32.23-grsec (SMP w/2 CPU cores) Locale: lang=fr_fr.ut...@euro, lc_ctype=fr_fr.ut...@euro (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages hypermail depends on: ii libc6 2.7-18lenny4 GNU C Library: Shared libraries ii libgdbm3 1.8.3-3 GNU dbm database routines (runtime ii libpcre3 7.6-2.1 Perl 5 Compatible Regular Expressi ii python 2.5.2-3 An interactive high-level object-o hypermail recommends no packages. hypermail suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
