629090 – <net-mail/mailman-2.1.24: XSS

Bug 629090 - <net-mail/mailman-2.1.24: XSS

Summary: <net-mail/mailman-2.1.24: XSS

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://mail.python.org/pipermail/mai...
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2017-08-27 17:52 UTC by Thomas Stein
Modified:	2018-01-19 15:45 UTC (History)
CC List:	3 users (show)

See Also:
Package list:	=net-mail/mailman-2.1.24
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Stein 2017-08-27 17:52:05 UTC

Hello Devs.

mailman 2.1.24 has been released in June. An updated ebuild would be cool.

thanks and cheers
t.

Reproducible: Always

Comment 1 Jonas Stein gentoo-dev

2017-08-27 19:40:00 UTC

Thank you for the bump request. 
You can help the maintainer with further information:
Does a simple bump [1] work on your system? 
Chances are high, because a first look on the bump revealed only small changes.

[1] https://wiki.gentoo.org/wiki/Custom_repository#Simple_version_bump_of_an_ebuild_in_the_local_overlay

Comment 2 Hanno Böck gentoo-dev

2017-09-26 12:15:54 UTC

This is actually a security update fixing an XSS. It's likely minor and according to upstream unexploitable in common settings (e.g. apache). Probably no GLSA, but we should still handle it.

From the release notes:
    - A most likely unexploitable XSS attach that relies on the Mailman web
      server passing a crafted Host: header to the CGI environment has been
      fixed.  Apache for one is not vulnerable.  Thanks to Alqnas Eslam.

Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-09-26 14:14:40 UTC

Thank you Hanno,

@Maintainers please let us know when the new version is available to stabilize.

Gentoo Security Padawan
ChrisADR

Comment 4 Hanno Böck gentoo-dev

2017-09-26 15:33:48 UTC

I am the maintainer :-) Please go ahead with stabilization.

Comment 5 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-09-26 15:40:57 UTC

Great :)

@Arches, please test and mark stable.

Gentoo Security Padawan
ChrisADR

Comment 6 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-09-26 16:14:32 UTC

amd64 tested, ok.

PS: At the moment sourcefoge is offline, i.e. I had to change SRC_URI to https://launchpad.net/mailman mirror manually.

Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev

2017-09-30 04:13:51 UTC

ppc stable

Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev

2017-10-03 00:43:06 UTC

x86 stable

Comment 9 Agostino Sarubbo gentoo-dev

2017-10-25 09:31:50 UTC

amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 10 Aaron Bauman (RETIRED) gentoo-dev

2017-10-26 00:32:14 UTC

GLSA Vote: No

Comment 11 Aaron Bauman (RETIRED) gentoo-dev

2018-01-19 14:17:45 UTC

@maintainer(s), can the vulnerable version (2.1.23) please be cleaned?

Comment 12 Thomas Stein 2018-01-19 14:40:05 UTC

Can we please bump to 2.1.25 while we on it?

Comment 13 Larry the Git Cow gentoo-dev

2018-01-19 15:45:01 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4a457bf8f1e829aa4afbe6217c059c3ed6796720

commit 4a457bf8f1e829aa4afbe6217c059c3ed6796720
Author:     Mikle Kolyada <zlogene@gentoo.org>
AuthorDate: 2018-01-19 15:44:38 +0000
Commit:     Mikle Kolyada <zlogene@gentoo.org>
CommitDate: 2018-01-19 15:44:38 +0000

    net-mail/mailman: Drop old (insecure) version
    
    Bug: https://bugs.gentoo.org/629090
    Package-Manager: Portage-2.3.19, Repoman-2.3.6

 net-mail/mailman/Manifest              |   1 -
 net-mail/mailman/mailman-2.1.23.ebuild | 167 ---------------------------------
 2 files changed, 168 deletions(-)}

Comment 14 Mikle Kolyada (RETIRED) archtester

2018-01-19 15:45:57 UTC

Done