blob: f256e77561564e7a6fb181a1b0525d5579a420ed [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200501-29">
<title>Mailman: Cross-site scripting vulnerability</title>
Mailman is vulnerable to cross-site scripting attacks.
<product type="ebuild">mailman</product>
<announced>January 22, 2005</announced>
<revised>January 22, 2005: 01</revised>
<package name="net-mail/mailman" auto="yes" arch="*">
<unaffected range="ge">2.1.5-r3</unaffected>
<vulnerable range="lt">2.1.5-r3</vulnerable>
Mailman is a Python-based mailing list server with an extensive
web interface.
Florian Weimer has discovered a cross-site scripting vulnerability
in the error messages that are produced by Mailman.
<impact type="low">
By enticing a user to visiting a specially-crafted URL, an
attacker can execute arbitrary script code running in the context of
the victim's browser.
There is no known workaround at this time.
All Mailman users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=net-mail/mailman-2.1.5-r3&quot;</code>
<uri link="">CAN-2004-1177</uri>
<metadata tag="requester" timestamp="Wed, 19 Jan 2005 10:01:17 +0000">
<metadata tag="bugReady" timestamp="Thu, 20 Jan 2005 09:22:10 +0000">
<metadata tag="submitter" timestamp="Fri, 21 Jan 2005 16:36:40 +0000">