-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

##
## Patch description of patch 98f5b90c27d1ba5c76b51671dbbdb8bf
##

Kind: security

Shortdescription.english:  Security update for mailman

Longdescription.english:

   Applies to

   Package: mailman
   Product(s):

   Release: 20050211
   Obsoletes: none

  Indications

   Install this update if you are using mailman.

  Contraindications

   None.

  Problem description

   A directory traversal problem was found in the archive
   handling of the mailman list manager. This allowed a remote
   attacker with access to a mailarchive on the machine to read
   any file readable by the mailman cgi script, including the
   mailman config database with plaintext passwords,
   mailinglist archives of closed lists, or any worldreadable
   file on the system.

   This issue has been assigned the Mitre CVE ID
   CAN-2005-0202.

  Solution

   Please install the updates provided at the location noted
   below.

  Installation notes

   This update is provided as an RPM package that can easily be
   installed onto a running system by using this command:
rpm -Fvh mailman.rpm

   Note 1:
   The last security update introduced a new dependency on the
   mailman package. Please make sure that the "python-xml" RPM
   is installed, otherwise mailman will not work correctly.

   Note 2:
   After installing the upgraded packages, please make sure
   that your mailinglist config databases have not been
   retrieved by attackers.

   You can do so by checking for patterns like ".....///" in
   your webservers access logs.

   If this is the case:
     * Reset all user passwords.
       The last security update includes a new
       "change_member_pw" script which can do that easily.
     * Change the mailinglist admin password.
     * Optionally: Look for members which should not be in the
       list
Hsilgne.noitpircsedgnol:

Size: 498


MinYaST1Version:
MinYaST2Version:
UpdateOnlyInstalled: true

Packages:
##
## -----> mailman <-----
##
Filename: mailman.rpm
Label: mailman
Series: i586
Size: 2140198 510417
PatchRpmBasedOn: 2.0.13-60 2.0.14-18 2.0.14-21
PatchRpmSize: 2140198 124216
Buildtime: 1108119908
DepAND:
DepOR:
DepExcl:
Flag:
Category:
RpmGroup: Productivity/Networking/Email/Mailinglists
Copyright: GPL
AuthorName: John Viega <mailman-users@python.org>
AuthorAddress:
Version: 2.0.14-23
StartCommand:
Obsoletes:
Requires: python cron /usr/sbin/useradd /usr/sbin/groupadd /usr/bin/getent /bin/echo /bin/cp /bin/rm /bin/mkdir aaa_base fillup fileutils /bin/sh /bin/bash /bin/sh /usr/bin/env ld-linux.so.2 libc.so.6 libc.so.6(GLIBC_2.0) libc.so.6(GLIBC_2.1) rpmlib(PayloadIsBzip2) <= 3.0.5-1
Provides: mailman
Segakcap:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCDSabqE7a6JyACsoRAmkPAJ9mG35I6qrhaFzr+mNNeICDi5P9uACf
UnsfTS9vnp5t/6SaDhOgsrmyK0s=
=STMX
-----END PGP SIGNATURE-----