mailman security update

CentOS Errata and Security Advisory CESA-2011:0307

Mailman is a program used to help manage email discussion lists.

Multiple input sanitization flaws were found in the way Mailman displayed
usernames of subscribed users on certain pages. If a user who is subscribed
to a mailing list were able to trick a victim into visiting one of those
pages, they could perform a cross-site scripting (XSS) attack against the
victim. (CVE-2011-0707)

Multiple input sanitization flaws were found in the way Mailman displayed
mailing list information. A mailing list administrator could use this flaw
to conduct a cross-site scripting (XSS) attack against victims viewing a
list’s “listinfo” page. (CVE-2008-0564, CVE-2010-3089)

Red Hat would like to thank Mark Sapiro for reporting the CVE-2011-0707 and
CVE-2010-3089 issues.

Users of mailman should upgrade to this updated package, which contains
backported patches to correct these issues.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2011-April/079533.html
https://lists.centos.org/pipermail/centos-announce/2011-April/079534.html
https://lists.centos.org/pipermail/centos-announce/2011-March/079420.html
https://lists.centos.org/pipermail/centos-announce/2011-March/079421.html

Affected packages:
mailman

Upstream details at:
https://access.redhat.com/errata/RHSA-2011:0307