From security@mandriva.com Wed Mar 29 21:19:05 2006 From: security@mandriva.com To: full-disclosure@lists.grok.org.uk Date: Wed, 29 Mar 2006 19:20:00 -0700 Reply-To: xsecurity@mandriva.com Subject: [Full-disclosure] [ MDKSA-2006:061 ] - Updated mailman packages fix DoS from badly formed mime multipart messages. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2006:061 http://www.mandriva.com/security/ _______________________________________________________________________ Package : mailman Date : March 29, 2006 Affected: 10.2, Corporate 3.0 _______________________________________________________________________ Problem Description: Scrubber.py, in Mailman 2.1.5 and earlier, when using email 2.5 (part of Python), is susceptible to a DoS (mailman service stops delivering for the list in question) if it encounters a badly formed mime multipart message with only one part and that part has two blank lines between the first boundary and the end boundary. Updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0052 _______________________________________________________________________ Updated Packages: Mandriva Linux 10.2: 04dcdf49d50ca568b14504c46b22e50b 10.2/RPMS/mailman-2.1.5-15.3.102mdk.i586.rpm 70e27cbd933a762b4c865f07647c44ea 10.2/SRPMS/mailman-2.1.5-15.3.102mdk.src.rpm Mandriva Linux 10.2/X86_64: 52c377eb6eaaf8866a6099f06348de3f x86_64/10.2/RPMS/mailman-2.1.5-15.3.102mdk.x86_64.rpm 70e27cbd933a762b4c865f07647c44ea x86_64/10.2/SRPMS/mailman-2.1.5-15.3.102mdk.src.rpm Corporate 3.0: 9c04212df3b3af0a656eae5e290e6270 corporate/3.0/RPMS/mailman-2.1.4-2.6.C30mdk.i586.rpm 68e3e8d7fd980e8d6202d3d5ad5dbcfc corporate/3.0/SRPMS/mailman-2.1.4-2.6.C30mdk.src.rpm Corporate 3.0/X86_64: 5633cfcdea5b43c352c5a6b807c4f676 x86_64/corporate/3.0/RPMS/mailman-2.1.4-2.6.C30mdk.x86_64.rpm 68e3e8d7fd980e8d6202d3d5ad5dbcfc x86_64/corporate/3.0/SRPMS/mailman-2.1.4-2.6.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEKxPemqjQ0CJFipgRAkN5AJ4i+nVkgdWBVR8NCvcw8eoVxlTr/gCgmGCr tr1nimFC0FhA34mIhZHrOac= =Hs6O -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/