Steve Alexander discovered that mailman did not properly handle
attachments with special filenames. A remote user could exploit that
to stop mail delivery until the server administrator manually cleaned
these posts. (CVE-2006-2941)
Various cross-site scripting vulnerabilities have been reported by
Barry Warsaw. By using specially crafted email addresses, names, and
similar arbitrary user-defined strings, a remote attacker could
exploit this to run web script code in the list administrator’s
web browser. (CVE-2006-3636)
URLs logged to the error log file are now checked for invalid
characters. Before, specially crafted URLs could inject arbitrary
messages into the log.