Your message dated Sun, 04 Feb 2018 18:49:54 +0000 with message-id <e1eipmq-0000jb...@fasolo.debian.org> and subject line Bug#888201: fixed in mailman 1:2.1.26-1 has caused the Debian Bug report #888201, regarding mailman: CVE-2018-5950 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 888201: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888201 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: mailman Version: 1:2.1.25-1 Severity: grave Tags: security upstream Hi, the following vulnerability was published for mailman, filling for now as grave since no details on the impact nor the fix is public, cf. [1], where it states: > An XSS vulnerability in the Mailman 2.1 web UI has been reported and > assigned CVE-2018-5950 which is not yet public. > > I plan to release Mailman 2.1.26 along with a patch for older releases > to fix this issue on Feb 4, 2018. At that time, full details of the > vulnerability will be public. > > This is advance notice of the upcoming release and patch for those that > need a week or two to prepare. The patch will be small and only affect > one module. CVE-2018-5950[0]: | Cross-site scripting (XSS) vulnerability in the web UI in Mailman | before 2.1.26 allows remote attackers to inject arbitrary web script | or HTML via unspecified vectors. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-5950 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5950 [1] https://www.mail-archive.com/mailman-users@python.org/msg70375.html Please adjust the affected versions in the BTS as needed, once more details are known. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: mailman Source-Version: 1:2.1.26-1 We believe that the bug you reported is fixed in the latest version of mailman, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 888...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thijs Kinkhorst <th...@debian.org> (supplier of updated mailman package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 04 Feb 2018 18:23:18 +0000 Source: mailman Binary: mailman Architecture: source amd64 Version: 1:2.1.26-1 Distribution: unstable Urgency: medium Maintainer: Mailman for Debian <pkg-mailman-hack...@lists.alioth.debian.org> Changed-By: Thijs Kinkhorst <th...@debian.org> Description: mailman - Web-based mailing list manager (legacy branch) Closes: 888201 Changes: mailman (1:2.1.26-1) unstable; urgency=medium . * New upstream release. - Fixes XSS in user options CGI (CVE-2018-5950, closes: #888201) * Document that this is the legacy branch of Mailman and that all major development is focused on Mailman 3 (package mailman3). Checksums-Sha1: 6064ab921656d86f270871f21f8487dc6e97d37b 1698 mailman_2.1.26-1.dsc 13d457555cb1603419d49aed560bffad89a9550b 9264592 mailman_2.1.26.orig.tar.gz 643189ee31c3901135a6e1df66f31d8dc103d060 101792 mailman_2.1.26-1.debian.tar.xz 2b70c7685c59028c3d842d277931ad00d5df04e9 18524 mailman-dbgsym_2.1.26-1_amd64.deb a11293cfc9f84d951e2a98fa4f35d84ca59d7904 6286 mailman_2.1.26-1_amd64.buildinfo de0e0c8a50144c7940e19d649268b00f5fa60454 4446688 mailman_2.1.26-1_amd64.deb Checksums-Sha256: 70b7e3fbc76ade5407740339525e5ab2e531f4695b53cd1f4cc0c1fa54424094 1698 mailman_2.1.26-1.dsc 240177e1ef561ede88d7b48283c3835f39bbd0b1ae19100d3520cbe43058339f 9264592 mailman_2.1.26.orig.tar.gz 3f1f23deecf5fb08904227b87ce8146aa5167d2bcac0f6883325a102a2d18e59 101792 mailman_2.1.26-1.debian.tar.xz 2f7059e09f831d96d71fed10231bf90ae94ebaf48a88ff738380ec6ea28fcd33 18524 mailman-dbgsym_2.1.26-1_amd64.deb bf7b505671459017b3cea4784a36fe52250cf0e7a190503432d538b1b580cdde 6286 mailman_2.1.26-1_amd64.buildinfo 01236fde31b09e3e35c93e278bf14b8dd0ee0b364dd987088c42456bea1e23df 4446688 mailman_2.1.26-1_amd64.deb Files: 0885c32eaadbc2704ee8284c1ea67987 1698 mail optional mailman_2.1.26-1.dsc 07d075148a3ffc03e6dc2613e797921e 9264592 mail optional mailman_2.1.26.orig.tar.gz f1da3a81e61f40f487c8513224d8cafa 101792 mail optional mailman_2.1.26-1.debian.tar.xz b6ee6220f47f27a7cb6d00739c661ce3 18524 debug optional mailman-dbgsym_2.1.26-1_amd64.deb bd7e36d7ef268e2d758aa1ae574a1f28 6286 mail optional mailman_2.1.26-1_amd64.buildinfo 9cb25b929a1c074bcd31bf495a66c37c 4446688 mail optional mailman_2.1.26-1_amd64.deb -----BEGIN PGP SIGNATURE----- iQEuBAEBCAAYBQJad1JTERx0aGlqc0BkZWJpYW4ub3JnAAoJEFb2GnlAHawExoAI AJMSQKXUNMmkbF/ygmpfGwoInyjBI+mUqu0ObnPwsH8ZqALXgRNzQDzumHhBqFPQ ZAanoTDuRTLUlgbI2Ezy4ojp+9jNwbsYaec5P+EMfqc/c/47q6ghoEgzhrVlHGtV 1pTYvLyUJQYrjcagyyiY5VkCBxj9PgdsGpyabjgta6CneX3v+B22gLQJ5639yQ8R i4fR7nRAs9Kq7e2h6V6E5hu1Jks1vyvEOdWNJN0ABpABne24CLVm2o9JsZZl3XV0 DM6W142hX4KBCZRraWGbTVCyjzvjfiTTiDuPt2A8QLh7eVIS5cO7CDUS+FpfEzbR +VKI9JsMaQ358V2xppTC/kU= =rWnn -----END PGP SIGNATURE-----
--- End Message ---
