-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : mailman Version : 1:2.1.18-2+deb8u5 CVE ID : CVE-2020-12137
A vulnerability was discovered in mailman. GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code. For Debian 8 "Jessie", this problem has been fixed in version 1:2.1.18-2+deb8u5. We recommend that you upgrade your mailman packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAl6uobwACgkQ0+Fzg8+n /wbMJQ//eUbb2EAZBBKxb4pvXbNm4BrGCl1FDGC2YC/j2U8F50zlYKF4f5sJoEb5 JWWwV80/rqNd3RyUS9kU8ddl0y0nArt6uH9QrhUFgTtx3woT2lPj128cj18+dxfk rSjsc++FxrU/eoUG4DDTghdPJcmT8Mqp4GoaMlaS2OZzimWFYJv6hgiDY80a5ywX 75SzakbpOX1LJgC+0J8S90d+qzmHKirrVC7udn6OivXB288IZjKvchZcE6aZTaED XTYzQYKyHXfiCZnAZPh2Us0w2Dzpkik1E6ysRSc0vBDBZ6NFh7wc0AvXOyHdSzKX FAj2pXAMABpuloBB2cqryl+9vTVOW5AFDs41SDAytG1CetOQjmka/lQyx8Cc0lYZ KBm95t2kahBrpq4+zZJPyR2k5zkW3YFKH7m6idFMLsGPpInB+++5sF0aL84vyCgE uJNatg0qIf90XiNFDM01+E07AjhpJyxNTVEWnXZ60bUCyMZpMwqRl7X4o7EdQPCm b8onRF+JlHMK6Js27hb0PQo8ofBtN6QvVcbgR1vD68x9ZpSOgdJqzAOJenKWu407 DSumuJRnDeDcisGR+P/M2FoKMuDDcBlRjpv5ob/o8AxnHG7klo4H0KCLLJvMX9iX cr0C1xc/ke/BlZ4bkga+vEZqaRFeZSQ+o5FrFuhapagAQRU5zbg= =TeBZ -----END PGP SIGNATURE-----
