=========================================================== Ubuntu Security Notice USN-1069-1 February 22, 2011 mailman vulnerabilities CVE-2010-3089, CVE-2011-0707 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: mailman 2.1.5-9ubuntu4.4 Ubuntu 8.04 LTS: mailman 1:2.1.9-9ubuntu1.4 Ubuntu 9.10: mailman 1:2.1.12-2ubuntu0.2 Ubuntu 10.04 LTS: mailman 1:2.1.13-1ubuntu0.2 Ubuntu 10.10: mailman 1:2.1.13-4ubuntu0.2 In general, a standard system update will make all the necessary changes. Details follow: It was discovered that Mailman did not properly sanitize certain fields, resulting in cross-site scripting (XSS) vulnerabilities. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.4.diff.gz Size/MD5: 233552 f863a1a24aa3b324374c5ef6c73d40e8 http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.4.dsc Size/MD5: 1275 5c7aff5e4724b0f37e73165c57174819 http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5.orig.tar.gz Size/MD5: 5745912 f5f56f04747cd4aff67427e7a45631af amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.4_amd64.deb Size/MD5: 6613272 9f61121b704896caa6ed77d0ecf3bb3e i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.4_i386.deb Size/MD5: 6612918 e0ee85728d3349f90fbf36b0cb3ef078 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.4_powerpc.deb Size/MD5: 6621704 92138c75ca590f02763727761e041db5 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-9ubuntu4.4_sparc.deb Size/MD5: 6620798 70a0a6a54efd9bc2b4904e06949dcbce Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-9ubuntu1.4.diff.gz Size/MD5: 158439 e5ed6d3259079e68a5ee38fdd47a907d http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-9ubuntu1.4.dsc Size/MD5: 1669 610063181cf5ee4314d2df4af31c62c5 http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9.orig.tar.gz Size/MD5: 7829201 dd51472470f9eafb04f64da372444835 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-9ubuntu1.4_amd64.deb Size/MD5: 8671516 3072aa6019cc442661eff312f628ccbb i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.9-9ubuntu1.4_i386.deb Size/MD5: 8640154 beb8264b8e628f15d359c4b65f3baf85 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.9-9ubuntu1.4_lpia.deb Size/MD5: 8611876 f8082dcf4989f1c7052cd54bfb5630cf powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.9-9ubuntu1.4_powerpc.deb Size/MD5: 8628114 04879eedca47927978251e607955b30b sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.9-9ubuntu1.4_sparc.deb Size/MD5: 8626834 b6f986a944335509cd9c0281f88a88b8 Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.12-2ubuntu0.2.diff.gz Size/MD5: 129415 ee767ed05a51dc926f2402f9c5592cea http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.12-2ubuntu0.2.dsc Size/MD5: 2078 5fd10464412a48d0875610cd9e0c2a19 http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.12.orig.tar.gz Size/MD5: 8010027 d565a6d2d0ec6d2dd6936a81e1c1ca86 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.12-2ubuntu0.2_amd64.deb Size/MD5: 9393936 5acbe839045cf9b33948958dd69dbdc8 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.12-2ubuntu0.2_i386.deb Size/MD5: 9363122 64ffecf8d9adfd4f3ca01b7d9428db49 armel architecture (ARM Architecture): http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.12-2ubuntu0.2_armel.deb Size/MD5: 9407048 144a873bb812fc837b10079379639f1c lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.12-2ubuntu0.2_lpia.deb Size/MD5: 9356806 f53911a575b7f06f60ac158de5224acd powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.12-2ubuntu0.2_powerpc.deb Size/MD5: 9373174 ef27d5c97911d7e64ed7574dc86c5a6a sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.12-2ubuntu0.2_sparc.deb Size/MD5: 9372306 67fb68e61b9d698fd9ebc6e74ce6e4cd Updated packages for Ubuntu 10.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13-1ubuntu0.2.diff.gz Size/MD5: 134303 2229842594cc9fc00db4f0633316abfc http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13-1ubuntu0.2.dsc Size/MD5: 2078 c330e0f5c5ca37e2fc3d7dfdaf9da0d2 http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13.orig.tar.gz Size/MD5: 8166504 3235323ccb3e0135c10b7c66a440390b amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13-1ubuntu0.2_amd64.deb Size/MD5: 9677028 a4793a40c0ffe113a154bae5f7d9cd75 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13-1ubuntu0.2_i386.deb Size/MD5: 9641550 8ad8a21ee56150ff069d5e5197a1e7c0 armel architecture (ARM Architecture): http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.13-1ubuntu0.2_armel.deb Size/MD5: 9619320 517d2559597c601573bdd628a093870d powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.13-1ubuntu0.2_powerpc.deb Size/MD5: 9651904 d8bc1bf9b54dab78380bb6a073b44328 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.13-1ubuntu0.2_sparc.deb Size/MD5: 9650100 1433d2eb4465077fbad862ef98ee1860 Updated packages for Ubuntu 10.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13-4ubuntu0.2.debian.tar.gz Size/MD5: 109828 933f9ecfe7c2672da7b724ac541e2038 http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13-4ubuntu0.2.dsc Size/MD5: 2097 3378c8f3bd8cb0e0b5ca9b8c63557a53 http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13.orig.tar.gz Size/MD5: 8166504 3235323ccb3e0135c10b7c66a440390b amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13-4ubuntu0.2_amd64.deb Size/MD5: 9648452 b9bc35f67ec1f3db9efa1d2f61760ca8 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.13-4ubuntu0.2_i386.deb Size/MD5: 9645592 108df9f1b5147b5be4745f5657215f0d armel architecture (ARM Architecture): http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.13-4ubuntu0.2_armel.deb Size/MD5: 9635070 6c94be0d85698bcd3d17c4d506402ddd powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/m/mailman/mailman_2.1.13-4ubuntu0.2_powerpc.deb Size/MD5: 9653076 75733af85973ae42ae96926cf17ad4d0