dcsimg
Linux Today: Linux News On Internet Time.





More on LinuxToday


Advisories: March 23, 2005

Mar 24, 2005, 04:45 (0 Talkback[s])

Fedora Core


Fedora Update Notification
FEDORA-2005-241
2005-03-22

Product : Fedora Core 2
Name : mailman
Version : 2.1.5
Release : 10.fc2
Summary : Mailing list manager with built in Web access.

Description :
Mailman is software to help manage email discussion lists, much like Majordomo and Smartmail. Unlike most similar products, Mailman gives each mailing list a webpage, and allows users to subscribe, unsubscribe, etc. over the Web. Even the list manager can administer his or her list entirely from the Web. Mailman also integrates most things people want to do with mailing lists, including archiving, mail <-> news gateways, and so on.

Documentation can be found in: /usr/share/doc/mailman-2.1.5

When the package has finished installing, you will need to perform some additional installation steps, these are described in: /usr/share/doc/mailman-2.1.5/INSTALL.REDHAT


Update Information:

A cross-site scripting (XSS) flaw in the driver script of mailman prior to version 2.1.5 could allow remote attackers to execute scripts as other web users. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-1177 to this issue.

Users of mailman should update to this erratum package, which corrects this issue by turning on STEALTH_MODE by default and using Utils.websafe() to quote the html.


  • Mon Mar 21 2005 John Dennis <jdennis@redhat.com> - 3:2.1.5-10.fc2
    • fix bug #147833, CAN-2004-1177
  • Mon Feb 14 2005 John Dennis <jdennis@redhat.com> - 3:2.1.5-9.fc2
    • fix bug #147856, moderator -1 admin requests pending
  • Tue Feb 8 2005 John Dennis <jdennis@redhat.com> - 3:2.1.5-8.fc2
    • fix security vulnerability CAN-2005-0202, errata RHSA-2005:136, bug #147343
  • Wed Jun 9 2004 John Dennis <jdennis@redhat.com> - 3:2.1.5-6
    • fix bug in pre scriplet, last command had been "service mailman stop"
    • bump rev for rebuild which should have been harmless if mailman was not installed except that it left the exit status from the script as non-zero and rpm aborted the install.
  • Wed Jun 9 2004 John Dennis <jdennis@redhat.com> - 3:2.1.5-5
    • add status reporting to init.d control script
      stop mailman during an installation
      restart mailman if it had been running prior to installation
  • Mon Jun 7 2004 John Dennis <jdennis@redhat.com> - 3:2.1.5-4
    • back python prereq down to 2.2, should be sufficient
  • Thu May 20 2004 John Dennis <jdennis@redhat.com> 3:2.1.5-3
    • make python prereq be at least 2.3
  • Tue May 18 2004 Jeremy Katz <katzj@redhat.com> 3:2.1.5-2
    • rebuild
  • Mon May 17 2004 John Dennis <jdennis@redhat.com> 3:2.1.5-1
    • bring up to latest 2.1.5 upstream release From Barry Warsaw: Mailman 2.1.5, a bug fix release that also contains new support for the Turkish language, and a few minor new features. Mailman 2.1.5 is a significant upgrade which should improve disk i/o performance, administrative overhead for discarding held spams, and the behavior of bouncing member disables. This version also contains a fix for an exploit that could allow 3rd parties to retrieve member passwords. It is thus highly recommended that all existing sitesupgrade to the latest version
  • Tue May 4 2004 Warren Togami <wtogami@redhat.com> 3:2.1.4-4
    • #105638 fix bytecompile and rpm -V
    • postun /etc/postfix/aliases fix
    • clean uninstall (no more empty dirs)
    • #115378 RedirectMatch syntax fix
  • Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
    • rebuilt
  • Fri Jan 9 2004 John Dennis <jdennis@finch.boston.redhat.com> 3:2.1.4-1
    • upgrade to new upstream release 2.1.4
    • fixes bugs 106349,112851,105367,91463
  • Wed Jun 4 2003 Elliot Lee <sopwith@redhat.com>
    • rebuilt
  • Wed May 7 2003 John Dennis <jdennis@finch.boston.redhat.com>
    • bring up to next upstream release 2.1.2
  • Sun May 4 2003 Florian La Roche <Florian.LaRoche@redhat.de>
    • fix typo in post script: mmusr -> mmuser
  • Thu Apr 24 2003 John Dennis <jdennis@finch.boston.redhat.com>
    • fix bug 72004, 74483, 74484, 87856 - improper log rotation
    • fix bug 88083 - mailman user/group needed to exist during build
    • fix bug 88144 - wrong %file attributes on mm_cfg.py
    • fix bug 89221 - mailman user not created on install
    • fix bug 89250 - wrong pid file name in initscript
  • Wed Mar 5 2003 Florian La Roche <Florian.LaRoche@redhat.de>
    • change to /etc/rc.d/init.d as in all other rpms
  • Thu Feb 20 2003 John Dennis <jdennis@finch.boston.redhat.com>
    • change mailman login shell from /bin/false to /sbin/nologin
  • Fri Feb 14 2003 John Dennis <jdennis@finch.boston.redhat.com>
    • bring package up to 2.1.1 release, add /usr/share/doc files
  • Sat Feb 1 2003 Florian La Roche <Florian.LaRoche@redhat.de>
    • make the icon dir owned by root:root as in other rpms
  • Fri Jan 31 2003 John Dennis <jdennis@finch.boston.redhat.com>
    • various small tweaks to the spec file to make installation cleaner
    • use /usr/bin/python when compiling, redirect compile output to /dev/null,
    • don't run update in %post, let the user do it, remove the .pyc files in %postun,
    • add setting of MAILHOST and URLHOST to localhost.localdomain, don't let
    • configure set them to the build machine.
  • Mon Jan 27 2003 John Dennis <jdennis@finch.boston.redhat.com>
    • add the cross site scripting (xss) security patch to version 2.1
  • Fri Jan 24 2003 John Dennis <jdennis@finch.boston.redhat.com>
    • do not start mailman service in %post
  • Wed Jan 22 2003 Tim Powers <timp@redhat.com>
    • rebuilt
  • Mon Jan 20 2003 John Dennis <jdennis@finch.boston.redhat.com>
    • 1) remove config patch, mailmanctl was not the right file to install in init.d,
    • it needed to be scripts/mailman
    • 2) rename httpd-mailman.conf to mailman.conf, since the file now lives
    • in httpd/conf.d directory the http prefix is redundant and inconsistent
    • with the other file names in that directory.
  • Tue Jan 7 2003 John Dennis <jdennis@finch.boston.redhat.com>
    • Bring package up to date with current upstream source, 2.1
    • Fix several install/packaging problems that were in upstream source
    • Add multiple mail group functionality
    • Fix syntax error in fblast.py
    • Remove the forced setting of mail host and url host in mm_cfg.py
  • Tue Nov 12 2002 Tim Powers <timp@redhat.com> 2.0.13-4
    • remove files from $$RPM_BUILD_ROOT that we don't intent to ship
  • Wed Aug 14 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.13-3
    • set MAILHOST and WWWHOST in case the configure script can't figure out the local host name
  • Fri Aug 2 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.13-2
    • rebuild
  • Fri Aug 2 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.13-1
    • specify log files individually, per faq wizard
    • update to 2.0.13
  • Wed May 22 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.11-1
    • update to 2.0.11
  • Fri Apr 5 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.9-1
    • include README.QMAIL in with the docs (#58887)
    • include README.SENDMAIL and README.EXIM in with the docs
    • use an included httpd.conf file instead of listing the configuration directives in the %description, which due to specspo magic might look wrong sometimes (part of #51324)
    • interpolate the DEFAULT_HOST_NAME value in mm.cfg into both the DEFAULT_URL and MAILMAN_OWNER (#57987)
    • move logs to /var/log/mailman, qfiles to /var/spool/mailman, rotate logs in the log directory (#48724)
    • raise exceptions when someone tries to set the admin address for a list to that of the admin alias (#61468)
  • Thu Apr 4 2002 Nalin Dahyabhai <nalin@redhat.com>
    • fix a default permissions problem in /var/mailman/archives/private, reported by Johannes Erdfelt
    • update to 2.0.9
  • Tue Apr 2 2002 Nalin Dahyabhai <nalin@redhat.com>
    • make the symlink in /etc/smrsh relative
  • Tue Dec 11 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.8-1
    • set FQDN and URL at build-time so that they won't be set to the host the RPM package is built on (#59177)
  • Wed Nov 28 2001 Nalin Dahyabhai <nalin@redhat.com>
    • update to 2.0.8
  • Sat Nov 17 2001 Florian La Roche <Florian.LaRoche@redhat.de> 2.0.7-1
    • update to 2.0.7
  • Wed Jul 25 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.6-1
    • update to 2.0.6
  • Mon Jun 25 2001 Nalin Dahyabhai <nalin@redhat.com>
    • code in default user/group names/IDs
  • Wed May 30 2001 Nalin Dahyabhai <nalin@redhat.com>
    • update to 2.0.5
    • change the default hostname from localhost to localhost.localdomain in the default configuration
    • chuck configuration file settings other than those dependent on the host name (the build system's host name is not a good default) (#32337)
  • Tue Mar 13 2001 Nalin Dahyabhai <nalin@redhat.com>
    • update to 2.0.3
  • Tue Mar 6 2001 Nalin Dahyabhai <nalin@redhat.com>
    • update to 2.0.2
  • Wed Feb 21 2001 Nalin Dahyabhai <nalin@redhat.com>
    • patch from Barry Warsaw (via mailman-developers) to not die on broken Content-Type: headers
  • Tue Jan 9 2001 Nalin Dahyabhai <nalin@redhat.com>
    • update to 2.0.1
  • Wed Dec 6 2000 Nalin Dahyabhai <nalin@redhat.com>
    • update to 2.0 final release
    • move the data to /var
  • Fri Oct 20 2000 Nalin Dahyabhai <nalin@redhat.com>
    • update to beta 6
  • Thu Aug 3 2000 Nalin Dahyabhai <nalin@redhat.com>
    • add note about adding FollowSymlinks so that archives work
  • Wed Aug 2 2000 Nalin Dahyabhai <nalin@redhat.com>
    • make the default owner root again so that root owns the docs
    • update to 2.0beta5, which fixes a possible security vulnerability
    • add smrsh symlink
  • Mon Jul 24 2000 Prospector <prospector@redhat.com>
    • rebuilt
  • Wed Jul 19 2000 Nalin Dahyabhai <nalin@redhat.com>
    • update to beta4
    • change uid/gid to apache.apache to match apache (#13593)
    • properly recompile byte-compiled versions of the scripts (#13619)
    • change mailman alias from root to postmaster
  • Sat Jul 1 2000 Nalin Dahyabhai <nalin@redhat.com>
    • update to beta3
    • drop bugs and arch patches (integrated into beta3)
  • Tue Jun 27 2000 Nalin Dahyabhai <nalin@redhat.com>
    • move web files to reside under /var/www
    • move files from /usr/share to /usr/share
    • integrate spot-fixes from mailman lists via gnome.org
  • Mon Jun 19 2000 Nalin Dahyabhai <nalin@redhat.com>
    • rebuild for Power Tools
  • Tue May 23 2000 Nalin Dahyabhai <nalin@redhat.com>
    • Update to 2.0beta2 to pick up security fixes.
    • Change equires python to list >= 1.5.2
  • Mon Nov 8 1999 Bernhard Rosenkranzer <bero@redhat.com>
    • 1.1
  • Tue Sep 14 1999 Preston Brown <pbrown@redhat.com>
    • 1.0 final.
  • Tue Jun 15 1999 Preston Brown <pbrown@redhat.com>
    • security fix for cookies
    • moved to /usr/share/mailman
  • Fri May 28 1999 Preston Brown <pbrown@redhat.com>
    • fix up default values.
  • Fri May 7 1999 Preston Brown <pbrown@redhat.com>
    • modifications to install scripts
  • Thu May 6 1999 Preston Brown <pbrown@redhat.com>
    • initial RPM for SWS 3.0

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

898fb9a008e82e26614d157bc6178244 SRPMS/mailman-2.1.5-10.fc2.src.rpm
69e2626ff50b3a1c71ef758a3724a5bb x86_64/mailman-2.1.5-10.fc2.x86_64.rpm
9aa5111f6bd88033bebfc67d329b7679 x86_64/debug/mailman-debuginfo-2.1.5-10.fc2.x86_64.rpm
2bb2085fd024b45215d43d0c17dc05f4 i386/mailman-2.1.5-10.fc2.i386.rpm
088c601b4fd076b933128a398810f7b7 i386/debug/mailman-debuginfo-2.1.5-10.fc2.i386.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.


--
John Dennis <jdennis@redhat.com>


Fedora Update Notification
FEDORA-2005-242
2005-03-22

Product : Fedora Core 3
Name : mailman
Version : 2.1.5
Release : 32.fc3
Summary : Mailing list manager with built in Web access.

Description :
Mailman is software to help manage email discussion lists, much like Majordomo and Smartmail. Unlike most similar products, Mailman gives each mailing list a webpage, and allows users to subscribe, unsubscribe, etc. over the Web. Even the list manager can administer his or her list entirely from the Web. Mailman also integrates most things people want to do with mailing lists, including archiving, mail <-> news gateways, and so on.

Documentation can be found in: /usr/share/doc/mailman-2.1.5

When the package has finished installing, you will need to perform some additional installation steps, these are described in: /usr/share/doc/mailman-2.1.5/INSTALL.REDHAT


Update Information:

A cross-site scripting (XSS) flaw in the driver script of mailman prior to version 2.1.5 could allow remote attackers to execute scripts as other web users. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-1177 to this issue.

Users of mailman should update to this erratum package, which corrects this issue by turning on STEALTH_MODE by default and using Utils.websafe() to quote the html.

In addition this version of the rpm includes a utility script in /usr/share/doc/mailman-*/contrib/migrate-fhs that can be run if the user has installed an FC3 or FC4 mailman rpm over an older non-FHS compliant mailman installation. The script will aid in moving the file locations from the old directory structure to the new FHS mailman directory structure that are present in FC3, FC4, and RHEL4. Users who have installed mailman originally from FC3, FC4 or RHEL4 will not need to migration any file locations.


  • Wed Mar 2 2005 John Dennis <jdennis@redhat.com> - 3:2.1.5-32.fc3
    • fix bug #150065, provide migration script for new FHS installation
    • fix bug #147833, CAN-2004-1177
  • Mon Feb 14 2005 John Dennis <jdennis@redhat.com> - 3:2.1.5-31.fc3
    • fix bug #132750, add daemon to mail-gid so courier mail server will work.
    • fix bug #143008, wrong location of mailmanctl in logrotate
    • fix bug #142605, init script doesn't use /var/lock/subsys
  • Tue Feb 8 2005 John Dennis <jdennis@redhat.com> - 3:2.1.5-30.fc3
    • fix security vulnerability CAN-2005-0202, errata RHSA-2005:137, bug #147343
  • Tue Nov 9 2004 John Dennis <jdennis@redhat.com> 3:2.1.5-29.fc3
    • fix bug #137863, buildroot path in .pyc files
  • Mon Nov 8 2004 John Dennis <jdennis@redhat.com> 3:2.1.5-27
    • rebuild to fix bug #137863, python embeds build root in .pyc files
  • Sat Oct 16 2004 John Dennis <jdennis@redhat.com> 3:2.1.5-26
    • fix typo in install documentation
    • fix error in templates/Makefile.in, bad install args, fixes bug #136001, thank you to Kaj J. Niemi for spotting this.
  • Thu Oct 14 2004 John Dennis <jdennis@redhat.com> 3:2.1.5-24
    • more FHS changes, matches with new SELinux security policy
  • Wed Sep 29 2004 John Dennis <jdennis@redhat.com> 3:2.1.5-21
    • move list data dir to /var/lib/mailman to conform to FHS move lock dir to /var/lock/mailman to conform to FHS move config dir (VAR_PREFIX/data) to /etc/mailman to conform to FHS Thanks to Matt Domsch for pointing this out.
  • Tue Sep 28 2004 John Dennis <jdennis@redhat.com> 3:2.1.5-20
    • fix bug #132732, security policy violations,
    • bump release verison move non-data installation files from /var/mailman to /usr/lib/mailman, update documentation
  • Fri Sep 10 2004 John Dennis <jdennis@redhat.com> 3:2.1.5-19
    • add il18n start/stop strings to init.d script
  • Fri Sep 10 2004 John Dennis <jdennis@redhat.com> 3:2.1.5-18
    • fix bug #89250, add condrestart also fix status return values in mailmanctl and init.d script
  • Tue Sep 7 2004 John Dennis <jdennis@redhat.com> 3:2.1.5-17
    • fix bug #120930, add contents of contrib to doc area
  • Tue Sep 7 2004 John Dennis <jdennis@redhat.com> 3:2.1.5-16
    • fix bug #121220, httpd config file tweaks add doc to INSTALL.REDHAT for selecting MTA
  • Fri Sep 3 2004 John Dennis <jdennis@redhat.com> 3:2.1.5-15
    • fix bug #117615, don't overwrite user modified templates on install made template directory "config noreplace"
  • Thu Sep 2 2004 John Dennis <jdennis@redhat.com> 3:2.1.5-14
    • add comments into the crontab files so users know the /etc/cron.d file is volitile and will edit the right file. Also make the master crontab file "config noreplace" so edits are preserved.
  • Wed Sep 1 2004 John Dennis <jdennis@redhat.com> 3:2.1.5-13
    • fix bug #124208, enable mailman cron jobs from init.d rather than during installation
  • Tue Aug 31 2004 John Dennis <jdennis@redhat.com> 3:2.1.5-12
    • fix bug #129920, cron jobs execute under wrong SELinux policy
  • Mon Aug 30 2004 John Dennis <jdennis@redhat.com> 3:2.1.5-11
    • remove all editing of aliases file in %pre and %post, fixes #bug 125651
  • Mon Aug 9 2004 John Dennis <jdennis@redhat.com> 3:2.1.5-10
    • fix bug #129492 and bug #120912 stop using crontab to setup mailman's cron jobs, instead install cron script in /etc/cron.d
  • Mon Aug 9 2004 John Dennis <jdennis@redhat.com> 3:2.1.5-9
  • Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
    • rebuilt
  • Wed Jun 9 2004 John Dennis <jdennis@redhat.com> - 3:2.1.5-7
    • bump rev for rebuild
  • Wed Jun 9 2004 John Dennis <jdennis@redhat.com> - 3:2.1.5-6
    • fix bug in pre scriplet, last command had been "service mailman stop" which should have been harmless if mailman was not installed except that it left the exit status from the script as non-zero and rpm aborted the install.
  • Wed Jun 9 2004 John Dennis <jdennis@redhat.com> - 3:2.1.5-5
    • add status reporting to init.d control script stop mailman during an installation restart mailman if it had been running prior to installation
  • Mon Jun 7 2004 John Dennis <jdennis@redhat.com> - 3:2.1.5-4
    • back python prereq down to 2.2, should be sufficient
  • Thu May 20 2004 John Dennis <jdennis@redhat.com> 3:2.1.5-3
    • make python prereq be at least 2.3
  • Tue May 18 2004 Jeremy Katz <katzj@redhat.com> 3:2.1.5-2
    • rebuild
  • Mon May 17 2004 John Dennis <jdennis@redhat.com> 3:2.1.5-1
    • bring up to latest 2.1.5 upstream release From Barry Warsaw: Mailman 2.1.5, a bug fix release that also contains new support for the Turkish language, and a few minor new features. Mailman 2.1.5 is a significant upgrade which should improve disk i/o performance, administrative overhead for discarding held spams, and the behavior of bouncing member disables. This version also contains a fix for an exploit that could allow 3rd parties to retrieve member passwords. It is thus highly recommended that all existing sitesupgrade to the latest version
  • Tue May 4 2004 Warren Togami <wtogami@redhat.com> 3:2.1.4-4
    • #105638 fix bytecompile and rpm -V
    • postun /etc/postfix/aliases fix
    • clean uninstall (no more empty dirs)
    • #115378 RedirectMatch syntax fix
  • Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
    • rebuilt
  • Fri Jan 9 2004 John Dennis <jdennis@finch.boston.redhat.com> 3:2.1.4-1
    • upgrade to new upstream release 2.1.4
    • fixes bugs 106349,112851,105367,91463
  • Wed Jun 4 2003 Elliot Lee <sopwith@redhat.com>
    • rebuilt
  • Wed May 7 2003 John Dennis <jdennis@finch.boston.redhat.com>
    • bring up to next upstream release 2.1.2
  • Sun May 4 2003 Florian La Roche <Florian.LaRoche@redhat.de>
    • fix typo in post script: mmusr -> mmuser
  • Thu Apr 24 2003 John Dennis <jdennis@finch.boston.redhat.com>
    • fix bug 72004, 74483, 74484, 87856 - improper log rotation
    • fix bug 88083 - mailman user/group needed to exist during build
    • fix bug 88144 - wrong %file attributes on mm_cfg.py
    • fix bug 89221 - mailman user not created on install
    • fix bug 89250 - wrong pid file name in initscript
  • Wed Mar 5 2003 Florian La Roche <Florian.LaRoche@redhat.de>
    • change to /etc/rc.d/init.d as in all other rpms
  • Thu Feb 20 2003 John Dennis <jdennis@finch.boston.redhat.com>
    • change mailman login shell from /bin/false to /sbin/nologin
  • Fri Feb 14 2003 John Dennis <jdennis@finch.boston.redhat.com>
    • bring package up to 2.1.1 release, add /usr/share/doc files
  • Sat Feb 1 2003 Florian La Roche <Florian.LaRoche@redhat.de>
    • make the icon dir owned by root:root as in other rpms
  • Fri Jan 31 2003 John Dennis <jdennis@finch.boston.redhat.com>
    • various small tweaks to the spec file to make installation cleaner
    • use /usr/bin/python when compiling, redirect compile output to /dev/null,
    • don't run update in %post, let the user do it, remove the .pyc files in %postun,
    • add setting of MAILHOST and URLHOST to localhost.localdomain, don't let
    • configure set them to the build machine.
  • Mon Jan 27 2003 John Dennis <jdennis@finch.boston.redhat.com>
    • add the cross site scripting (xss) security patch to version 2.1
  • Fri Jan 24 2003 John Dennis <jdennis@finch.boston.redhat.com>
    • do not start mailman service in %post
  • Wed Jan 22 2003 Tim Powers <timp@redhat.com>
    • rebuilt
  • Mon Jan 20 2003 John Dennis <jdennis@finch.boston.redhat.com>
    • 1) remove config patch, mailmanctl was not the right file to install in init.d,
    • it needed to be scripts/mailman
    • 2) rename httpd-mailman.conf to mailman.conf, since the file now lives
    • in httpd/conf.d directory the http prefix is redundant and inconsistent
    • with the other file names in that directory.
  • Tue Jan 7 2003 John Dennis <jdennis@finch.boston.redhat.com>
    • Bring package up to date with current upstream source, 2.1
    • Fix several install/packaging problems that were in upstream source
    • Add multiple mail group functionality
    • Fix syntax error in fblast.py
    • Remove the forced setting of mail host and url host in mm_cfg.py
  • Tue Nov 12 2002 Tim Powers <timp@redhat.com> 2.0.13-4
    • remove files from $$RPM_BUILD_ROOT that we don't intent to ship
  • Wed Aug 14 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.13-3
    • set MAILHOST and WWWHOST in case the configure script can't figure out the local host name
  • Fri Aug 2 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.13-2
    • rebuild
  • Fri Aug 2 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.13-1
    • specify log files individually, per faq wizard
    • update to 2.0.13
  • Wed May 22 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.11-1
    • update to 2.0.11
  • Fri Apr 5 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.9-1
    • include README.QMAIL in with the docs (#58887)
    • include README.SENDMAIL and README.EXIM in with the docs
    • use an included httpd.conf file instead of listing the configuration directives in the %description, which due to specspo magic might look wrong sometimes (part of #51324)
    • interpolate the DEFAULT_HOST_NAME value in mm.cfg into both the DEFAULT_URL and MAILMAN_OWNER (#57987)
    • move logs to /var/log/mailman, qfiles to /var/spool/mailman, rotate logs in the log directory (#48724)
    • raise exceptions when someone tries to set the admin address for a list to that of the admin alias (#61468)
  • Thu Apr 4 2002 Nalin Dahyabhai <nalin@redhat.com>
    • fix a default permissions problem in /var/mailman/archives/private, reported by Johannes Erdfelt
    • update to 2.0.9
  • Tue Apr 2 2002 Nalin Dahyabhai <nalin@redhat.com>
    • make the symlink in /etc/smrsh relative
  • Tue Dec 11 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.8-1
    • set FQDN and URL at build-time so that they won't be set to the host the RPM package is built on (#59177)
  • Wed Nov 28 2001 Nalin Dahyabhai <nalin@redhat.com>
    • update to 2.0.8
  • Sat Nov 17 2001 Florian La Roche <Florian.LaRoche@redhat.de> 2.0.7-1
    • update to 2.0.7
  • Wed Jul 25 2001 Nalin Dahyabhai <nalin@redhat.com> 2.0.6-1
    • update to 2.0.6
  • Mon Jun 25 2001 Nalin Dahyabhai <nalin@redhat.com>
    • code in default user/group names/IDs
  • Wed May 30 2001 Nalin Dahyabhai <nalin@redhat.com>
    • update to 2.0.5
    • change the default hostname from localhost to localhost.localdomain in the default configuration
    • chuck configuration file settings other than those dependent on the host name (the build system's host name is not a good default) (#32337)
  • Tue Mar 13 2001 Nalin Dahyabhai <nalin@redhat.com>
    • update to 2.0.3
  • Tue Mar 6 2001 Nalin Dahyabhai <nalin@redhat.com>
    • update to 2.0.2
  • Wed Feb 21 2001 Nalin Dahyabhai <nalin@redhat.com>
    • patch from Barry Warsaw (via mailman-developers) to not die on broken Content-Type: headers
  • Tue Jan 9 2001 Nalin Dahyabhai <nalin@redhat.com>
    • update to 2.0.1
  • Wed Dec 6 2000 Nalin Dahyabhai <nalin@redhat.com>
    • update to 2.0 final release
    • move the data to /var
  • Fri Oct 20 2000 Nalin Dahyabhai <nalin@redhat.com>
    • update to beta 6
  • Thu Aug 3 2000 Nalin Dahyabhai <nalin@redhat.com>
    • add note about adding FollowSymlinks so that archives work
  • Wed Aug 2 2000 Nalin Dahyabhai <nalin@redhat.com>
    • make the default owner root again so that root owns the docs
    • update to 2.0beta5, which fixes a possible security vulnerability
    • add smrsh symlink
  • Mon Jul 24 2000 Prospector <prospector@redhat.com>
    • rebuilt
  • Wed Jul 19 2000 Nalin Dahyabhai <nalin@redhat.com>
    • update to beta4
    • change uid/gid to apache.apache to match apache (#13593)
    • properly recompile byte-compiled versions of the scripts (#13619)
    • change mailman alias from root to postmaster
  • Sat Jul 1 2000 Nalin Dahyabhai <nalin@redhat.com>
    • update to beta3
    • drop bugs and arch patches (integrated into beta3)
  • Tue Jun 27 2000 Nalin Dahyabhai <nalin@redhat.com>
    • move web files to reside under /var/www
    • move files from /usr/share to /usr/share
    • integrate spot-fixes from mailman lists via gnome.org
  • Mon Jun 19 2000 Nalin Dahyabhai <nalin@redhat.com>
    • rebuild for Power Tools
  • Tue May 23 2000 Nalin Dahyabhai <nalin@redhat.com>
    • Update to 2.0beta2 to pick up security fixes.
    • Change equires python to list >= 1.5.2
  • Mon Nov 8 1999 Bernhard Rosenkranzer <bero@redhat.com>
    • 1.1
  • Tue Sep 14 1999 Preston Brown <pbrown@redhat.com>
    • 1.0 final.
  • Tue Jun 15 1999 Preston Brown <pbrown@redhat.com>
    • security fix for cookies
    • moved to /usr/share/mailman
  • Fri May 28 1999 Preston Brown <pbrown@redhat.com>
    • fix up default values.
  • Fri May 7 1999 Preston Brown <pbrown@redhat.com>
    • modifications to install scripts
  • Thu May 6 1999 Preston Brown <pbrown@redhat.com>
    • initial RPM for SWS 3.0

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

2035fb6745f1e7450014d6fc93599fd6 SRPMS/mailman-2.1.5-32.fc3.src.rpm
bce1fd54e4b957e893fdcd36b9c65dad x86_64/mailman-2.1.5-32.fc3.x86_64.rpm
89dcbb4182b5a49b3fe936232c0b397b x86_64/debug/mailman-debuginfo-2.1.5-32.fc3.x86_64.rpm
660ab67c528290082041a69aebc3d437 i386/mailman-2.1.5-32.fc3.i386.rpm
b1e34a8085876f74c06922f291ccb5af i386/debug/mailman-debuginfo-2.1.5-32.fc3.i386.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.


--
John Dennis <jdennis@redhat.com>

SUSE Linux


SUSE Security Announcement

Package: ImageMagick
Announcement-ID: SUSE-SA:2005:017
Date: Wed, 23 Mar 2005 14:00:00 +0000
Affected products: 8.2, 9.0, 9.1, 9.2 SUSE Linux Desktop 1.0 SUSE Linux Enterprise Server 8, 9 Novell Linux Desktop 9
Vulnerability Type: remote code execution
Severity (1-10): 5
SUSE default package: no
Cross References: CAN-2005-0397 CAN-2005-0759 CAN-2005-0760 CAN-2005-0761 CAN-2005-0762

Content of this advisory:

  1. security vulnerability resolved: several security problems in ImageMagick problem description
  2. solution/workaround
  3. special instructions and notes
  4. package location and checksums
  5. pending vulnerabilities, solutions, workarounds: See SUSE Security Summary Report.
  6. standard appendix (further information)

1) problem description, brief discussion

This update fixes several security issues in the ImageMagick program suite:

  • A format string vulnerability was found in the display program which could lead to a remote attacker being to able to execute code as the user running display by providing handcrafted filenames of images. This is tracked by the Mitre CVE ID CAN-2005-0397.

    Andrei Nigmatulin reported 4 problems in older versions of ImageMagick:

  • A bug was found in the way ImageMagick handles TIFF tags. It is possible that a TIFF image file with an invalid tag could cause ImageMagick to crash. This is tracked by the Mitre CVE ID CAN-2005-0759.

    Only ImageMagick version before version 6 are affected.

  • A bug was found in ImageMagick's TIFF decoder. It is possible that a specially crafted TIFF image file could cause ImageMagick to crash. This is tracked by the Mitre CVE ID CAN-2005-0760.

    Only ImageMagick version before version 6 are affected.

  • A bug was found in the way ImageMagick parses PSD files. It is possible that a specially crafted PSD file could cause ImageMagick to crash. This is tracked by the Mitre CVE ID CAN-2005-0761.

    Only ImageMagick version before version 6.1.8 are affected.

  • A heap overflow bug was found in ImageMagick's SGI parser. It is possible that an attacker could execute arbitrary code by tricking a user into opening a specially crafted SGI image file. This is tracked by the Mitre CVE ID CAN-2005-0762.

    Only ImageMagick version before version 6 are affected.

2) solution/workaround

Please install the updated packages.

3) special instructions and notes

None.

4) package location and checksums

Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update.
Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web.

x86 Platform:

SUSE Linux 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/ImageMagick-6.0.7-4.6.i586.rpm e0abc35e5b6e62c411d20ef6e2e9f977
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/ImageMagick-Magick++-6.0.7-4.6.i586.rpm 03e732ad0f84a86746b9c227fc89b445
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/ImageMagick-devel-6.0.7-4.6.i586.rpm c284ca68e325b91406ddd7d89d469578
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/perl-PerlMagick-6.0.7-4.6.i586.rpm 1b266f8322f93bf46889bcede41807b2

SUSE Linux 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/ImageMagick-5.5.7-225.15.i586.rpm f9b715bc0b7a903d7d9ed05bb185e305
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/ImageMagick-Magick++-5.5.7-225.15.i586.rpm a2f7fc378cfe423636e85d41ce2e84a3
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/ImageMagick-devel-5.5.7-225.15.i586.rpm bd64b2c1a6725453e5c76fb8fa6504a9
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/perl-PerlMagick-5.5.7-225.15.i586.rpm b8b09bdc13ad121251b206b0c867250a

source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/ImageMagick-5.5.7-225.15.src.rpm 25266f599e107cb3587b78311c3526d7

SUSE Linux 9.0:
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/ImageMagick-5.5.7-233.i586.rpm efe3d14315a46951b3c9b67d77ae7e24
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/ImageMagick-Magick++-5.5.7-233.i586.rpm d2edc9ca9c44981a804081ceee7995e8
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/ImageMagick-devel-5.5.7-233.i586.rpm c596c37ffc1037edd206f2ed2b7aba8c
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/perl-PerlMagick-5.5.7-233.i586.rpm 0cdf7ec0f6a284fd1ecd0f8b4669f106

source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/ImageMagick-5.5.7-233.src.rpm 388fc41c453baecab3249d0c5520e509

SUSE Linux 8.2:
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/ImageMagick-5.5.4-125.i586.rpm f1fd06f68f5d1340aa48a1249a666b42
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/ImageMagick-Magick++-5.5.4-125.i586.rpm 476eb03a384a7f3295f0933bfd22037b
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/ImageMagick-devel-5.5.4-125.i586.rpm 1fe5babe00b1a2e3b29b27afdc49a5eb
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/perl-PerlMagick-5.5.4-125.i586.rpm 7b4954080bed5957fc4dafc139877ffb

source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/ImageMagick-5.5.4-125.src.rpm fb728261f74de1c886b8e89c6ccdc527

x86-64 Platform:

SUSE Linux 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/ImageMagick-6.0.7-4.6.x86_64.rpm 2b5031672b87983839255c62a8d2b6c6
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/ImageMagick-Magick++-6.0.7-4.6.x86_64.rpm 65e2f75380c5c09318de2c2d5341dd8f
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/ImageMagick-devel-6.0.7-4.6.x86_64.rpm dd81443b6ddd154a7c0f5af0ba107686
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/perl-PerlMagick-6.0.7-4.6.x86_64.rpm a7900a8703a0fe17ff64ff9dcb9e52f4

source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/ImageMagick-6.0.7-4.6.src.rpm 610adb7f10d61555aa46b27e29eebf05

SUSE Linux 9.1:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/ImageMagick-5.5.7-225.15.x86_64.rpm 6ea3b05343ea37f54b0912576e5bc6e7
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/ImageMagick-Magick++-5.5.7-225.15.x86_64.rpm 7b9e5c6e6094abc2f11f2817ca513b89
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/ImageMagick-devel-5.5.7-225.15.x86_64.rpm c0f61d39f21a1b365f301515230a357b
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/perl-PerlMagick-5.5.7-225.15.x86_64.rpm c9e54772c1cd1ad6a06bafd926377095

source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/ImageMagick-5.5.7-225.15.src.rpm 49128ab7a073c5c65883801bafa60a6b

SUSE Linux 9.0:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/ImageMagick-5.5.7-233.x86_64.rpm 7b7cbce2c54582984747576efe1d551d
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/ImageMagick-Magick++-5.5.7-233.x86_64.rpm 108267eb5c839b17b878d63a351c1ee1
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/ImageMagick-devel-5.5.7-233.x86_64.rpm 34a4699f690dc4b11c347274abddb6fe
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/perl-PerlMagick-5.5.7-233.x86_64.rpm 83d2c15b6ba09df08b560d131de2cf5b

source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/ImageMagick-5.5.7-233.src.rpm a5c25371a0c311c715dd331309649a57


5) Pending vulnerabilities in SUSE Distributions and Workarounds:

See SUSE Security Summary Report.


6) standard appendix: authenticity verification, additional information

  • Package authenticity verification:

    SUSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package:

    1. md5sums as provided in the (cryptographically signed) announcement.
    2. using the internal gpg signatures of the rpm package.
    3. execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SUSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security@suse.de), the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless.
    4. rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites:
      1. gpg is installed
      2. The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SUSE in rpm packages for SUSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SUSE Linux distributions version 7.1 and thereafter install the key "build@suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
  • SUSE runs two security mailing lists to which any interested party may subscribe:


    suse-security@suse.com

  • general/linux/SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an email to

    <suse-security-subscribe@suse.com>.


suse-security-announce@suse.com

  • SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an email to

<suse-security-announce-subscribe@suse.com>.

For general information or the frequently asked questions (faq) send mail to:

<suse-security-info@suse.com> or <suse-security-faq@suse.com> respectively.


SUSE's security contact is <security@suse.com> or <security@suse.de>. @suse.de>.

The <security@suse.de> public key is listed below.



The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text.
SUSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory.

Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>