Conectiva Local Security Checks : Conectiva Security Advisory CLA-2001:420

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.51582

Category: Conectiva Local Security Checks

Title: Conectiva Security Advisory CLA-2001:420

Summary: NOSUMMARY

Description: Description:

The remote host is missing updates announced in
advisory CLA-2001:420.

Mailman is a mailing list manager.
This update fixes two security problems and some other issues not
related to security:

1. Versions prior do 2.0.2 (affects CL<=6.0) have a vulnerability
which allows a list administrador to obtain the list password of a
subscriber. This is not a regular security problem because the list
administrator does not need that password to gain access to a user's
subscription, but it is quite possible that the user shares this
password with other services, such as an email account, even though
the web interface gives a clear warning about this password and how
it is handled (by default, the password is mailed out every month).

2. Versions prior do 2.0.6 (affects CL<=7.0) have a vulnerability
which could allow non-authorized users to gain access to the
administrative interface of a list. For this to happen, the global
password (located in the data/adm.pw file) has to be empty, which is
not very likely. If it is empty, the administrative interface will
accept any password as valid.

3. This update also brings a logrotate configuration file to our
mailman package. This will regularly rotate the logs in
/usr/lib/mailman/logs.

4. Version 2.0.5 (affects CL<=7.0) fixed a problem with stale lock
files which can cause a list to be inaccessible for long periods of
time until the lock expires or is removed manually.

Solution:
The apt tool can be used to perform RPM package upgrades
by running 'apt-get update' followed by 'apt-get upgrade'

http://mail.python.org/pipermail/mailman-announce/2001-July/000028.html
http://mail.python.org/pipermail/mailman-announce/2001-March/000022.html
http://mail.python.org/pipermail/mailman-announce/2001-May/000026.html
http://www.securityspace.com/smysecure/catid.html?in=CLA-2001:420
http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=002001

Risk factor : High

Copyright Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.51582
Category:	Conectiva Local Security Checks
Title:	Conectiva Security Advisory CLA-2001:420
Summary:	NOSUMMARY
Description:	Description: The remote host is missing updates announced in advisory CLA-2001:420. Mailman is a mailing list manager. This update fixes two security problems and some other issues not related to security: 1. Versions prior do 2.0.2 (affects CL<=6.0) have a vulnerability which allows a list administrador to obtain the list password of a subscriber. This is not a regular security problem because the list administrator does not need that password to gain access to a user's subscription, but it is quite possible that the user shares this password with other services, such as an email account, even though the web interface gives a clear warning about this password and how it is handled (by default, the password is mailed out every month). 2. Versions prior do 2.0.6 (affects CL<=7.0) have a vulnerability which could allow non-authorized users to gain access to the administrative interface of a list. For this to happen, the global password (located in the data/adm.pw file) has to be empty, which is not very likely. If it is empty, the administrative interface will accept any password as valid. 3. This update also brings a logrotate configuration file to our mailman package. This will regularly rotate the logs in /usr/lib/mailman/logs. 4. Version 2.0.5 (affects CL<=7.0) fixed a problem with stale lock files which can cause a list to be inaccessible for long periods of time until the lock expires or is removed manually. Solution: The apt tool can be used to perform RPM package upgrades by running 'apt-get update' followed by 'apt-get upgrade' http://mail.python.org/pipermail/mailman-announce/2001-July/000028.html http://mail.python.org/pipermail/mailman-announce/2001-March/000022.html http://mail.python.org/pipermail/mailman-announce/2001-May/000026.html http://www.securityspace.com/smysecure/catid.html?in=CLA-2001:420 http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=002001 Risk factor : High
Copyright	Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com