Debian Security Advisory
mailman -- weak administrator authentication
- Date Reported:
- 23 Jun 1999
- Affected Packages:
-
mailman
- Vulnerable:
- Yes
- Security database references:
- In the Bugtraq database (at SecurityFocus): BugTraq ID 480.
In Mitre's CVE dictionary: CVE-1999-0742.
- More information:
- We have become aware that the version of mailman as
supplied
in Debian GNU/Linux 2.1 has a problem with verifying list administrators.
The problem is that the cookie value generation used was predictable, so
using forged authentication cookies it was possible to access the list
administration webpages without knowing the proper password. More
information about this vulnerability can be found at
python.org mailman-developers list for 1999-June, in the
"Cookie security hole in admin interface" thread.
This has been fixed in version 1.0rc2-5.
- Fixed in:
-
- alpha:
- http://security.debian.org/dists/stable/updates/binary-alpha/mailman_1.0rc2-5_alpha.deb
- i386:
- http://security.debian.org/dists/stable/updates/binary-i386/mailman_1.0rc2-5_i386.deb
- m68k:
- http://security.debian.org/dists/stable/updates/binary-m68k/mailman_1.0rc2-5_m68k.deb
- sparc:
- http://security.debian.org/dists/stable/updates/binary-sparc/mailman_1.0rc2-5_sparc.deb
