thijs at alioth.debian.org
2008-Feb-05 07:33 UTC
[Secure-testing-commits] r8076 - data/CVE
Author: thijs Date: 2008-02-05 07:33:04 +0000 (Tue, 05 Feb 2008) New Revision: 8076 Modified: data/CVE/list Log: new mailman XSS issue requires to be authenticated as list admin, which means you already have a lot of power over the list. No DSA for this issue in itself, I will take care of updating sid soon. Modified: data/CVE/list ==================================================================--- data/CVE/list 2008-02-04 22:41:34 UTC (rev 8075) +++ data/CVE/list 2008-02-05 07:33:04 UTC (rev 8076) @@ -1,3 +1,12 @@ +CVE-2008-0564 [mailman xss as list admin] + - mailman <unfixed> (low) + [etch] - mailman <no-dsa> (Minor issue) + [sarge] - mailman <no-dsa> (Minor issue) + NOTE: Someone authenticated as list admin can insert malicious script + NOTE: into list templates. This already consists of a high degree of + NOTE: control over the mailinglist, so not a very important issue. + NOTE: This enhances the fix for CVE-2006-3636. + NOTE: http://mail.python.org/pipermail/mailman-announce/2008-February/000095.html CVE-2008-XXXX [insecure tmp file usage in webwml] - wml <unfixed> (low; bug #463907) [sarge] - wml <not-affected> (Vulnerable code is patched to use mkdtemp)