Executive Summary
Summary | |
---|---|
Title | New mailman packages fix several problems |
Informations | |||
---|---|---|---|
Name | DSA-1188 | First vendor Publication | 2006-10-04 |
Vendor | Debian | Last vendor Modification | 2006-10-04 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.8 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Several security related problems have been discovered in mailman, the web-based GNU mailing list manager. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-3636 Moritz Naumann discovered several cross-site scripting problems that could allow remote attackers to inject arbitrary web script or HTML. CVE-2006-4624 Moritz Naumann discovered that a remote attacker can inject arbitrary strings into the logfile. For the stable distribution (sarge) this problem has been fixed in version 2.1.5-8sarge5. For the unstable distribution (sid) this problem has been fixed in version 2.1.8-3. We recommend that you upgrade your mailman package. |
Original Source
Url : http://www.debian.org/security/2006/dsa-1188 |
CAPEC : Common Attack Pattern Enumeration & Classification
Id | Name |
---|---|
CAPEC-15 | Command Delimiters |
CAPEC-34 | HTTP Response Splitting |
CAPEC-81 | Web Logs Tampering |
CAPEC-93 | Log Injection-Tampering-Forging |
CAPEC-106 | Cross Site Scripting through Log Files |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10553 | |||
Oval ID: | oval:org.mitre.oval:def:10553 | ||
Title: | Multiple cross-site scripting (XSS) vulnerabilities in Mailman before 2.1.9rc1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||
Description: | Multiple cross-site scripting (XSS) vulnerabilities in Mailman before 2.1.9rc1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2006-3636 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:9756 | |||
Oval ID: | oval:org.mitre.oval:def:9756 | ||
Title: | CRLF injection vulnerability in Utils.py in Mailman before 2.1.9rc1 allows remote attackers to spoof messages in the error log and possibly trick the administrator into visiting malicious URLs via CRLF sequences in the URI. | ||
Description: | CRLF injection vulnerability in Utils.py in Mailman before 2.1.9rc1 allows remote attackers to spoof messages in the error log and possibly trick the administrator into visiting malicious URLs via CRLF sequences in the URI. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2006-4624 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2009-10-10 | Name : SLES9: Security update for mailman File : nvt/sles9p5014078.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200609-12 (mailman) File : nvt/glsa_200609_12.nasl |
2008-09-04 | Name : FreeBSD Ports: ja-mailman, mailman, mailman-with-htdig File : nvt/freebsd_ja-mailman.nasl |
2008-09-04 | Name : FreeBSD Ports: mailman, ja-mailman, mailman-with-htdig File : nvt/freebsd_mailman7.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1188-1 (mailman) File : nvt/deb_1188_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
28438 | Mailman Multiple Unspecified XSS |
28436 | Mailman Utils.py Spoofed Log Entry Injection |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2006-0600.nasl - Type : ACT_GATHER_INFO |
2013-06-29 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2007-0779.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing a security update. File : sl_20071115_mailman_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_11243.nasl - Type : ACT_GATHER_INFO |
2007-12-13 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_mailman-2174.nasl - Type : ACT_GATHER_INFO |
2007-11-16 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2007-0779.nasl - Type : ACT_GATHER_INFO |
2007-11-10 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-345-1.nasl - Type : ACT_GATHER_INFO |
2007-10-17 | Name : The remote openSUSE host is missing a security update. File : suse_mailman-2170.nasl - Type : ACT_GATHER_INFO |
2006-12-16 | Name : The remote Mandrake Linux host is missing a security update. File : mandrake_MDKSA-2006-165.nasl - Type : ACT_GATHER_INFO |
2006-10-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1188.nasl - Type : ACT_GATHER_INFO |
2006-09-22 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200609-12.nasl - Type : ACT_GATHER_INFO |
2006-09-12 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2006-0600.nasl - Type : ACT_GATHER_INFO |
2006-09-12 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2006-0600.nasl - Type : ACT_GATHER_INFO |
2006-09-05 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_fffa92573c1711db86ab00123ffe8333.nasl - Type : ACT_GATHER_INFO |
2006-09-05 | Name : The remote web server contains a Python application that is affected by a log... File : mailman_log_spoof.nasl - Type : ACT_ATTACK |
Alert History
Date | Informations |
---|---|
2014-02-17 11:26:14 |
|