Hi, Sorry that I was unable to respond.
Barry Warsaw wrote: > On Sep 9, 2006, at 10:09 AM, Guillaume Rousse wrote: > >> I'd like to use this occasion to drop a maximum of patches we still >> have: >> - is 2.1.9 still vulnearble to CVE-2005-3573 ? I didn't found any >> reference to it in the release notes, and the patch [1] still apply > > This is the first I've seen of this CVE, but it sounds like bugs that > have been addressed in the email package. This is mentioned in the NEWS of version 2.1.7. - A note on CVE-2005-3573: Although the RFC2231 bug example in the CVE has been solved in Mailman 2.1.6, there may be more cases where ToDigest.send_digests() can block regular delivery. We put the send_digests() calling part in a try/except clause and leave a message in the error log if something happened in send_digests(). Daily call of cron/senddigests will provide more detail to the site administrator. Therefore, 2.1.9 is also not vulnerable. CVE-2005-3573 is a false (delayed) alert. -- Tokio Kikuchi [EMAIL PROTECTED] http://weather.is.kochi-u.ac.jp/ _______________________________________________ Mailman-Developers mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
