Your message dated Fri, 23 Feb 2018 13:34:51 +0000 with message-id <e1epdux-0002t4...@fasolo.debian.org> and subject line Bug#888201: fixed in mailman 1:2.1.18-2+deb8u2 has caused the Debian Bug report #888201, regarding mailman: CVE-2018-5950 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 888201: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888201 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: mailman Version: 1:2.1.25-1 Severity: grave Tags: security upstream Hi, the following vulnerability was published for mailman, filling for now as grave since no details on the impact nor the fix is public, cf. [1], where it states: > An XSS vulnerability in the Mailman 2.1 web UI has been reported and > assigned CVE-2018-5950 which is not yet public. > > I plan to release Mailman 2.1.26 along with a patch for older releases > to fix this issue on Feb 4, 2018. At that time, full details of the > vulnerability will be public. > > This is advance notice of the upcoming release and patch for those that > need a week or two to prepare. The patch will be small and only affect > one module. CVE-2018-5950[0]: | Cross-site scripting (XSS) vulnerability in the web UI in Mailman | before 2.1.26 allows remote attackers to inject arbitrary web script | or HTML via unspecified vectors. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-5950 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5950 [1] https://www.mail-archive.com/mailman-users@python.org/msg70375.html Please adjust the affected versions in the BTS as needed, once more details are known. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: mailman Source-Version: 1:2.1.18-2+deb8u2 We believe that the bug you reported is fixed in the latest version of mailman, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 888...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thijs Kinkhorst <th...@debian.org> (supplier of updated mailman package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 08 Feb 2018 07:30:49 +0100 Source: mailman Binary: mailman Architecture: source amd64 Version: 1:2.1.18-2+deb8u2 Distribution: jessie-security Urgency: high Maintainer: Mailman for Debian <pkg-mailman-hack...@lists.alioth.debian.org> Changed-By: Thijs Kinkhorst <th...@debian.org> Description: mailman - Powerful, web-based mailing list manager Closes: 888201 Changes: mailman (1:2.1.18-2+deb8u2) jessie-security; urgency=high . * CVE-2018-5950: XSS and information leak in user options. (Closes: #888201). Checksums-Sha1: ca5e21728c8264e165292c068b781f881bd5cbf0 1707 mailman_2.1.18-2+deb8u2.dsc cb4d793ade7b76f2654334873a0dd5cff5e9007a 105508 mailman_2.1.18-2+deb8u2.debian.tar.xz f5c250c25e12bd2fe3a6be74ca10caaf67919969 4326716 mailman_2.1.18-2+deb8u2_amd64.deb Checksums-Sha256: 656412b1af81dd99ead0d513ea5504bd2b9b89d2f8c4b904cb2b559f525457a1 1707 mailman_2.1.18-2+deb8u2.dsc a3a368350c1476ef87bf4328a0bbf52c8b85884916270fa8fa8765689395d8a7 105508 mailman_2.1.18-2+deb8u2.debian.tar.xz 614ba8c117737614fa9d448e051aee7c41da6c1434ee9f49540763f5b6eb6f25 4326716 mailman_2.1.18-2+deb8u2_amd64.deb Files: 67e1d4da48432e75acf4a5c4efa58e43 1707 mail optional mailman_2.1.18-2+deb8u2.dsc afba24b0d6a82fbb30438a5194cc7116 105508 mail optional mailman_2.1.18-2+deb8u2.debian.tar.xz 52a3c9640c23e4c38b250483d130ecb1 4326716 mail optional mailman_2.1.18-2+deb8u2_amd64.deb -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJafEv5AAoJEFb2GnlAHawEnYQH/1QtZWfemx7iRWPVZ9iQhkYb s6eI3+oJ68LzWor9kRoBQS6utNLypwJzgk4cgEoD6SwCx3wSilKU4iWFMm8yvksW HIbDt7RrGNj+gqAkF/OPJ3CRf2cigfrDul4b4IZgZRtpwXb9swwVjb+pyyxTcoZe dOi6ammrDT44KtJT5YLhNDSXivP/UWV15b2/7iWot0sDyEQr877dzoimRoC+xcDl rW9Q199q5Nv5ylsl7DYgYSzofT7/QOoHiDH4hTJREfLhg01aGSxkxcibYQIEWLOl evTwXOUTro8L39tNkpEr5cup9CEmjJctuLiWRns/Nq/PXGp87kZura8Sm5TPq+o= =ZY57 -----END PGP SIGNATURE-----
--- End Message ---
