Bug#358575: mailman 2.1.5-8sarge3: screwup between security and maintainer upload
* Martin Schulze: Imho, it's more useful to upload 2.1.5-8sarge4 and only bump the version number to get the new version built for all architectures into the archive. While you are at it, you could also include this patch: Revision: 8001 http://svn.sourceforge.net/mailman/?rev=8001view=rev Author: bwarsaw Date: 2006-08-30 07:54:22 -0700 (Wed, 30 Aug 2006) Log Message: --- CVE-2006-3636. Fixes for various cross-site scripting issues. Discovery by Moritz Naumann and most of the repair work done by Mark Sapiro (with some additional work by Barry). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#358575: mailman 2.1.5-8sarge3: screwup between security and maintainer upload
Hi, let a be an architecture in sarge. Then one of the following holds for mailman in sarge r3: - it is affected by a security problem. - it has a severity critical bug. Mailman in sid: - may or may not suffer of a security problem A security problem in Mailman in sarge patched in May has _not_ been issued a DSA. Details: There seems to have been a screw-up in handling of mailman security and stable updates: There are two different mailman packages in Debian with version number 2.1.5-8sarge3. History, in chronological order: -8sarge2 security update to fix: potential DoS attack with malformed multi-part messages (closes: #358892) [CVE-2006-0052] -8sarge3 maintainer update (that got frozen waiting for -8sarge2 to happen in order not to conflict with it) to fix bug #358575, a severity critical bug. Uploaded to stable-proposed-updates in the night from 11 to 12 April 2006, where it created problems because -8sarge1 was to be going in sarge r2, and having -8sarge3 appear confused everything. Stable update team says something along the lines of will consider for sarge r3. -8sarge3 security update to fix: formt string vulnerability [src/common.c, debian/patches/72_CVE-2006-2191.dpatch] That security update has not been announced by a DSA, and cannot be downloaded from http://security.debian.org/pool/updates/main/m/mailman/ . I don't have access to the source of this package. It was apparently prepared by Martin Joey Schulze on 13 May 2006. As a maintainer of Mailman, I have no recollection of being notified of CVE-2006-2191 (it is possible I have missed the notification, but my email archives do not contain anything relevant with subject mailman and 2191 in the body); the CVE entry at mitre.org contains no information. I have no idea whether this security problem affects the version in sid or not, I have no precise information _what_ this security problem is. The situation right now: - sarge r3 contains mailman 2.1.5-8sarge3, but some architectures have the security update (such as i386) and others have the maintainer update (such as source, sparc and alpha). Thus all architectures are screwed up in one way or the other. - mailman 2.1.5-8sarge3 the security update is not publicly available, except for a few select architectures in binary form only (no source). So, please, security team, tell us about CVE-2006-2191. If appropriate, issue a DSA about it, for a package under version number -8sarge4, built on top of -8sarge3 the maintainer update. Please give us (the mailman-in-Debian maintainers) the information needed to fix CVE-2006-2191 in sid, or make a retroactive note in the changelog to note when it was fixed by a new upstream version. Stable release team, please react accordingly; you may for example do a binary sourceless NMU for the architectures that have -8sarge3 the security update so that they all have -8sarge3 the maintainer update. Thank you in advance for your participation in untangling that mess, -- Lionel Elie Mamane -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#358575: mailman 2.1.5-8sarge3: screwup between security and maintainer upload
Lionel Elie Mamane wrote: let a be an architecture in sarge. Then one of the following holds for mailman in sarge r3: - it is affected by a security problem. - it has a severity critical bug. Mailman in sid: - may or may not suffer of a security problem A security problem in Mailman in sarge patched in May has _not_ been issued a DSA. Oh. Which security problem are you talking about? There seems to have been a screw-up in handling of mailman security and stable updates: There are two different mailman packages in Debian with version number 2.1.5-8sarge3. Ugh? How did that happen? Where is the second one? I only see 2.1.5-8sarge3 in stable but only 2.1.5-8sarge2 in the security archive. History, in chronological order: -8sarge2 security update to fix: potential DoS attack with malformed multi-part messages (closes: #358892) [CVE-2006-0052] -8sarge3 maintainer update (that got frozen waiting for -8sarge2 to happen in order not to conflict with it) to fix bug #358575, a severity critical bug. Uploaded to stable-proposed-updates in the night from 11 to 12 April 2006, where it created problems because -8sarge1 was to be going in sarge r2, and having -8sarge3 appear confused everything. Stable update team says something along the lines of will consider for sarge r3. Apparently it has been installed in the archive. -8sarge3 security update to fix: formt string vulnerability [src/common.c, debian/patches/72_CVE-2006-2191.dpatch] That security update has not been announced by a DSA, and cannot be downloaded from http://security.debian.org/pool/updates/main/m/mailman/ . I don't have access to the source of this package. It was apparently prepared by Martin Joey Schulze on 13 May 2006. Umh? But where is it? I don't have it either. I have recorded the patch to fix this vulnerability, though. It's attached. As a maintainer of Mailman, I have no recollection of being notified of CVE-2006-2191 (it is possible I have missed the notification, but my email archives do not contain anything relevant with subject mailman and 2191 in the body); the CVE entry at mitre.org contains no information. I have no idea whether this security problem affects the version in sid or not, I have no precise information _what_ this security problem is. I found a trace. Apparently this problem has been considered not exploitable later, and hence the issue was disregarded. The researcher was Karl Chen. He suggested to file a normal bug then. If that has happened, you should have (had) it in your bug list. The situation right now: - sarge r3 contains mailman 2.1.5-8sarge3, but some architectures have the security update (such as i386) and others have the maintainer update (such as source, sparc and alpha). Thus all architectures are screwed up in one way or the other. AARRRGGG! This is an interesting screwup... So, please, security team, tell us about CVE-2006-2191. If appropriate, issue a DSA about it, for a package under version number -8sarge4, built on top of -8sarge3 the maintainer update. Please give us (the mailman-in-Debian maintainers) the information needed to fix CVE-2006-2191 in sid, or make a retroactive note in the changelog to note when it was fixed by a new upstream version. I'll forward you the mails wrt this issue. Guess we didn't contact you earlier because it became a non-issue. Stable release team, please react accordingly; you may for example do a binary sourceless NMU for the architectures that have -8sarge3 the security update so that they all have -8sarge3 the maintainer update. Imho, it's more useful to upload 2.1.5-8sarge4 and only bump the version number to get the new version built for all architectures into the archive. Regards, Joey -- Linux - the choice of a GNU generation. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#358575: mailman 2.1.5-8sarge3: screwup between security and maintainer upload
Hi *, Martin Schulze [EMAIL PROTECTED] writes: Stable release team, please react accordingly; you may for example do a binary sourceless NMU for the architectures that have -8sarge3 the security update so that they all have -8sarge3 the maintainer update. Imho, it's more useful to upload 2.1.5-8sarge4 and only bump the version number to get the new version built for all architectures into the archive. Please go ahead. Greetings Martin -- Martin Zobel-Helas GPG Key-ID:0x5d64f870 Debian DevelopereMail Privat: [EMAIL PROTECTED] Debian Stable Release Manager eMail Debian: [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]