[Mailman-Developers] Patches in mandriva package
Guillaume Rousse
guillomovitch at zarb.org
Tue Sep 12 09:16:48 CEST 2006
Tokio Kikuchi wrote:
> Hi,
>
> Sorry that I was unable to respond.
>
> Barry Warsaw wrote:
>
>> On Sep 9, 2006, at 10:09 AM, Guillaume Rousse wrote:
>>
>>> I'd like to use this occasion to drop a maximum of patches we still
>>> have:
>>> - is 2.1.9 still vulnearble to CVE-2005-3573 ? I didn't found any
>>> reference to it in the release notes, and the patch [1] still apply
>>
>> This is the first I've seen of this CVE, but it sounds like bugs that
>> have been addressed in the email package.
>
> This is mentioned in the NEWS of version 2.1.7.
>
> - A note on CVE-2005-3573: Although the RFC2231 bug example in the CVE has
> been solved in Mailman 2.1.6, there may be more cases where
> ToDigest.send_digests() can block regular delivery. We put the
> send_digests() calling part in a try/except clause and leave a message
> in the error log if something happened in send_digests(). Daily call of
> cron/senddigests will provide more detail to the site administrator.
>
> Therefore, 2.1.9 is also not vulnerable. CVE-2005-3573 is a false
> (delayed) alert.
Thanks, I'll remove it.
More information about the Mailman-Developers
mailing list