Bug 49442 (CVE-2004-0182) - VUL-0: CVE-2004-0182: mailman: remote denial-of-service
Summary: VUL-0: CVE-2004-0182: mailman: remote denial-of-service
Status: RESOLVED FIXED
Alias: CVE-2004-0182
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All Linux
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Thomas Biege
QA Contact: Security Team bot
URL:
Whiteboard: CVE-2004-0182: CVSS v2 Base Score: 5....
Keywords:
Depends on:
Blocks:
 
Reported: 2004-02-11 19:21 UTC by Thomas Biege
Modified: 2021-10-11 13:36 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
patchinfo.mailman (355 bytes, text/plain)
2004-02-11 20:08 UTC, Thomas Biege 		Details
patchinfo-box.mailman (346 bytes, text/plain)
2004-02-11 20:11 UTC, Thomas Biege 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2004-02-11 19:21:25 UTC 
Hi Heiko, 
this is just for the sake of completeness. 
You are already aware of the remote denial of service condition in mailman 
that affect 2.0.x only (8.1/SLES8).
Comment 1 Thomas Biege 2004-02-11 19:21:25 UTC 
<!-- SBZ_reproduce  -->
-
Comment 2 Thomas Biege 2004-02-11 19:57:25 UTC 
Heike, 
8.0 include mailman too.
Comment 3 Thomas Biege 2004-02-11 20:04:51 UTC 
Sorry! s/Heike/Heiko/ ;)
Comment 4 Thomas Biege 2004-02-11 20:08:18 UTC 
Created attachment 15935 [details]
patchinfo.mailman
Comment 5 Thomas Biege 2004-02-11 20:11:37 UTC 
Created attachment 15936 [details]
patchinfo-box.mailman

This includes 8.0 and 8.1
Comment 6 Heiko Rommel 2004-02-11 23:55:17 UTC 
fixed in SLES8, 8.0 and 8.1

(apropro "Heike": I forgive you - this time ;)
Comment 7 Thomas Biege 2004-02-11 23:58:20 UTC 
<!-- SBZ_reopen -->Reopened by thomas@suse.de at Wed Feb 11 16:58:20 2004
Comment 8 Thomas Biege 2004-02-11 23:58:20 UTC 
reassigned to me for tracking
Comment 9 Thomas Biege 2004-03-15 19:11:31 UTC 
Hi HeikO. 
 
The problems seems still not to be fixed. 
 
thomas@bragg:~> cat /work/src/done/8.0/mailman.note 
Why is this necessary and what is the bugzilla ID? 
Which project manager approved this? 
thomas@bragg:~> cat /work/src/done/8.1/mailman.note 
There are no changes on this package? 
thomas@bragg:~>
Comment 10 Heiko Rommel 2004-03-17 00:12:50 UTC 
If I understood the objections of the autobuild guys correctly (remember: they
rejected my commit),
the security manager has to get an OK from the product manager for a version update.

If we have that OK or if it to me to get that OK from the product manager,
please let me know.
Comment 11 Thomas Biege 2004-03-17 00:20:02 UTC 
As we discussed some weeks ago: The cleanest way would be to add the patch to 
the version shipped with this specific SL version. 
If this patch is too complex or there is another serious reason to update the 
version, the productmanager must give his/her "ok". 
Is that the case?
Comment 12 Heiko Rommel 2004-03-17 00:22:05 UTC 
I don't think so. I'll just downgrade the patch.
Comment 13 Thomas Biege 2004-03-17 00:26:08 UTC 
Thank you!
Comment 14 Heiko Rommel 2004-03-17 01:23:40 UTC 
Fixed in 8.0 including patchinfo for 8.0 and 8.1(already commited).
Comment 15 Thomas Biege 2004-03-17 01:28:34 UTC 
<!-- SBZ_reopen -->Reopened by thomas@suse.de at Tue Mar 16 18:28:34 2004
Comment 16 Thomas Biege 2004-03-17 01:28:34 UTC 
reassigned to me for tracking....
Comment 17 Sebastian Krahmer 2004-04-02 18:41:24 UTC 
Is this a hit?

Date: Fri, 2 Apr 2004 10:36:02 +0100 (BST)
From: Mark J Cox <mjc@redhat.com>
To: vendor-sec@lst.de
Cc: jdennis@redhat.com
Subject: [vendor-sec] mailman issue

Red Hat issued security erratum on February 19 2004, RHSA-2004:019, to
correct a DoS (Denial of Service) vulnerability where an attacker could
send a carefully-crafted message causing mailman to crash.  CAN-2003-0991

Matthew Saltzman discovered a flaw in our original patch (whitespace
indentation problems) to correct this vulnerability. This flaw can cause
mailman to crash if it receives an email destined for a list with an empty
subject field. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0182 to this issue.

Not sure if this will affect any other vendors, here is the bug id:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118669

If anyone is, please let me know and we can co-ordinate.

Cheers, Mark
Comment 18 Thomas Biege 2004-04-02 18:58:50 UTC 
Heiko, 
can you check our patch please.
Comment 19 Thomas Biege 2004-04-05 22:36:09 UTC 
Dear QA-Team, 
the following link describes a bug in the mailman patch we might have been 
affected too. 
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118669 
 
Can you test this please?
Comment 20 Thomas Biege 2004-04-06 00:37:00 UTC 
JFYI: 
On Apr 5, 2004, at 10:16 AM, Vincent Danen wrote: 
 
> 
> On Apr 2, 2004, at 6:32 AM, Josh Bressers wrote: 
> 
> > > Red Hat issued security erratum on February 19 2004, RHSA-2004:019, to 
> > > correct a DoS (Denial of Service) vulnerability where an attacker could 
> > > send a carefully-crafted message causing mailman to crash.  
CAN-2003-0991 
> > > 
> > > Matthew Saltzman discovered a flaw in our original patch (whitespace 
> > > indentation problems) to correct this vulnerability. This flaw can cause 
> > > mailman to crash if it receives an email destined for a list with an 
empty 
> > > subject field. The Common Vulnerabilities and Exposures project 
> > > (cve.mitre.org) has assigned the name CAN-2004-0182 to this issue. 
> > > 
> > > Not sure if this will affect any other vendors, here is the bug id: 
> > > http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118669 
> > > 
> > > If anyone is, please let me know and we can co-ordinate. 
> > 
> > Mark, 
> > 
> > Progeny is affected by this for our transition service. 
> > 
> > April 14 perhaps? :) 
> > 
> > > From what I've seen in your BTS, the new fix just drops a bad message.  
Is 
> > your plan to fix this in a more graceful manner, or is the 2 line patch 
> > what you guys are going with? 
> 
> Looks like we need to get on board with this as well.  The 14th will work 
for us. 
> 
> So all that needs to be done is to decrease the indentation one level?  
Sounds easy enough... =) 
 
On second glance, this does not affect us. 
 
-- 
Mandrakesoft Security; http://www.mandrakesecure.net/
Comment 21 Heiko Rommel 2004-04-06 01:25:40 UTC 
I can't reproduce this behaviour with SLES8.
All I get while posting a message WITH NO SUBJECT is a posting with a subject
line containing "(no subject)". I verified that Subject was not added by an
intermediate MTA.
Comment 22 Thomas Biege 2004-04-06 02:30:58 UTC 
<!-- SBZ_reopen -->Reopened by thomas@suse.de at Mon Apr  5 20:30:58 2004
Comment 23 Thomas Biege 2004-04-06 02:30:58 UTC 
Ok, thank you a lot! 
 
reasigned to me for tracking.
Comment 24 Thomas Biege 2004-04-07 16:38:54 UTC 
packages approved.
Comment 25 Thomas Biege 2009-10-13 20:14:39 UTC 
CVE-2004-0182: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)