|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2004-0182: mailman: remote denial-of-service | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Thomas Biege <thomas> |
| Component: | Incidents | Assignee: | Thomas Biege <thomas> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | security-team |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | CVE-2004-0182: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: |
patchinfo.mailman
patchinfo-box.mailman |
||
|
Description
Thomas Biege
2004-02-11 19:21:25 UTC
<!-- SBZ_reproduce --> - Heike, 8.0 include mailman too. Sorry! s/Heike/Heiko/ ;) Created attachment 15935 [details]
patchinfo.mailman
Created attachment 15936 [details]
patchinfo-box.mailman
This includes 8.0 and 8.1
fixed in SLES8, 8.0 and 8.1 (apropro "Heike": I forgive you - this time ;) <!-- SBZ_reopen -->Reopened by thomas@suse.de at Wed Feb 11 16:58:20 2004 reassigned to me for tracking Hi HeikO. The problems seems still not to be fixed. thomas@bragg:~> cat /work/src/done/8.0/mailman.note Why is this necessary and what is the bugzilla ID? Which project manager approved this? thomas@bragg:~> cat /work/src/done/8.1/mailman.note There are no changes on this package? thomas@bragg:~> If I understood the objections of the autobuild guys correctly (remember: they rejected my commit), the security manager has to get an OK from the product manager for a version update. If we have that OK or if it to me to get that OK from the product manager, please let me know. As we discussed some weeks ago: The cleanest way would be to add the patch to the version shipped with this specific SL version. If this patch is too complex or there is another serious reason to update the version, the productmanager must give his/her "ok". Is that the case? I don't think so. I'll just downgrade the patch. Thank you! Fixed in 8.0 including patchinfo for 8.0 and 8.1(already commited). <!-- SBZ_reopen -->Reopened by thomas@suse.de at Tue Mar 16 18:28:34 2004 reassigned to me for tracking.... Is this a hit? Date: Fri, 2 Apr 2004 10:36:02 +0100 (BST) From: Mark J Cox <mjc@redhat.com> To: vendor-sec@lst.de Cc: jdennis@redhat.com Subject: [vendor-sec] mailman issue Red Hat issued security erratum on February 19 2004, RHSA-2004:019, to correct a DoS (Denial of Service) vulnerability where an attacker could send a carefully-crafted message causing mailman to crash. CAN-2003-0991 Matthew Saltzman discovered a flaw in our original patch (whitespace indentation problems) to correct this vulnerability. This flaw can cause mailman to crash if it receives an email destined for a list with an empty subject field. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0182 to this issue. Not sure if this will affect any other vendors, here is the bug id: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118669 If anyone is, please let me know and we can co-ordinate. Cheers, Mark Heiko, can you check our patch please. Dear QA-Team, the following link describes a bug in the mailman patch we might have been affected too. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118669 Can you test this please? JFYI: On Apr 5, 2004, at 10:16 AM, Vincent Danen wrote: > > On Apr 2, 2004, at 6:32 AM, Josh Bressers wrote: > > > > Red Hat issued security erratum on February 19 2004, RHSA-2004:019, to > > > correct a DoS (Denial of Service) vulnerability where an attacker could > > > send a carefully-crafted message causing mailman to crash. CAN-2003-0991 > > > > > > Matthew Saltzman discovered a flaw in our original patch (whitespace > > > indentation problems) to correct this vulnerability. This flaw can cause > > > mailman to crash if it receives an email destined for a list with an empty > > > subject field. The Common Vulnerabilities and Exposures project > > > (cve.mitre.org) has assigned the name CAN-2004-0182 to this issue. > > > > > > Not sure if this will affect any other vendors, here is the bug id: > > > http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118669 > > > > > > If anyone is, please let me know and we can co-ordinate. > > > > Mark, > > > > Progeny is affected by this for our transition service. > > > > April 14 perhaps? :) > > > > > From what I've seen in your BTS, the new fix just drops a bad message. Is > > your plan to fix this in a more graceful manner, or is the 2 line patch > > what you guys are going with? > > Looks like we need to get on board with this as well. The 14th will work for us. > > So all that needs to be done is to decrease the indentation one level? Sounds easy enough... =) On second glance, this does not affect us. -- Mandrakesoft Security; http://www.mandrakesecure.net/ I can't reproduce this behaviour with SLES8. All I get while posting a message WITH NO SUBJECT is a posting with a subject line containing "(no subject)". I verified that Subject was not added by an intermediate MTA. <!-- SBZ_reopen -->Reopened by thomas@suse.de at Mon Apr 5 20:30:58 2004 Ok, thank you a lot! reasigned to me for tracking. packages approved. CVE-2004-0182: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) |