Skip Quicknav

• About Debian
• News
• Getting Debian
• Support
• Developers' Corner
• Site map
• Search

Debian Security Advisory

mailman -- weak administrator authentication

Date Reported:

23 Jun 1999

Affected Packages:

mailman

Vulnerable:

Yes

Security database references:

In the Bugtraq database (at SecurityFocus): BugTraq ID 480.
In Mitre's CVE dictionary: CVE-1999-0742.

More information:

We have become aware that the version of mailman as supplied in Debian GNU/Linux 2.1 has a problem with verifying list administrators. The problem is that the cookie value generation used was predictable, so using forged authentication cookies it was possible to access the list administration webpages without knowing the proper password. More information about this vulnerability can be found at python.org mailman-developers list for 1999-June, in the "Cookie security hole in admin interface" thread. This has been fixed in version 1.0rc2-5.

Fixed in:

alpha:

http://security.debian.org/dists/stable/updates/binary-alpha/mailman_1.0rc2-5_alpha.deb

i386:

http://security.debian.org/dists/stable/updates/binary-i386/mailman_1.0rc2-5_i386.deb

m68k:

http://security.debian.org/dists/stable/updates/binary-m68k/mailman_1.0rc2-5_m68k.deb

sparc:

http://security.debian.org/dists/stable/updates/binary-sparc/mailman_1.0rc2-5_sparc.deb

This page is also available in the following languages:

Deutsch español français 日本語 (Nihongo) svenska

How to set the default document language