729468 – (CVE-2020-15011) <net-mail/mailman-2.1.33: Abitrary content injection vulnerability (CVE-2020-15011)

Bug 729468 (CVE-2020-15011) - <net-mail/mailman-2.1.33: Abitrary content injection vulnerability (CVE-2020-15011)

Summary: <net-mail/mailman-2.1.33: Abitrary content injection vulnerability (CVE-2020-...

Status:	RESOLVED FIXED

Alias:	CVE-2020-15011

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://bugs.launchpad.net/mailman/+b...
Whiteboard:	C4 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2020-06-24 18:35 UTC by John Helmert III
Modified:	2020-07-27 03:18 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	=net-mail/mailman-2.1.33
Runtime testing required:	---

Flags:	nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2020-06-24 18:35:21 UTC

CVE-2020-15011:

GNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login page.

Comment 1 John Helmert III archtester

2020-06-24 18:36:12 UTC

Maintainer, please bump to 2.1.33.

Comment 2 Larry the Git Cow gentoo-dev

2020-06-26 09:38:26 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c1e931a314384750dc97a87fb0b870f805cafdbb

commit c1e931a314384750dc97a87fb0b870f805cafdbb
Author:     Hanno Böck <hanno@gentoo.org>
AuthorDate: 2020-06-26 09:38:17 +0000
Commit:     Hanno Böck <hanno@gentoo.org>
CommitDate: 2020-06-26 09:38:17 +0000

    net-mail/mailman: Version bump.
    
    Remove patch applied upstream.
    Fixes security bug CVE-2020-15011.
    
    Bug: https://bugs.gentoo.org/729468
    Signed-off-by: Hanno Böck <hanno@gentoo.org>
    Package-Manager: Portage-2.3.103, Repoman-2.3.23

 net-mail/mailman/Manifest              |   1 +
 net-mail/mailman/mailman-2.1.33.ebuild | 169 +++++++++++++++++++++++++++++++++
 2 files changed, 170 insertions(+)

Comment 3 Sam James archtester

2020-06-26 12:23:17 UTC

Let us know when ready to stable.

Comment 4 Hanno Böck gentoo-dev

2020-06-29 06:04:45 UTC

You can go ahead with stabilizing.

Comment 5 Sam James archtester

2020-07-18 20:37:30 UTC

(In reply to Hanno Böck from comment #4)
> You can go ahead with stabilizing.

Sorry, I'd missed this! Going ahead.

Comment 6 Sam James archtester

2020-07-18 21:52:05 UTC

x86 stable

Comment 7 Sam James archtester

2020-07-19 00:09:03 UTC

ppc stable

Comment 8 Sam James archtester

2020-07-19 01:52:29 UTC

amd64 stable. Please cleanup.

Comment 9 Larry the Git Cow gentoo-dev

2020-07-27 03:15:29 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a60bfe761b3f5eb9cf5551f753d9447a5d080593

commit a60bfe761b3f5eb9cf5551f753d9447a5d080593
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-27 02:35:55 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-27 03:15:19 +0000

    net-mail/mailman: security cleanup
    
    Closes: https://bugs.gentoo.org/729468
    Package-Manager: Portage-3.0.0, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 net-mail/mailman/Manifest                          |   1 -
 .../mailman/files/mailman-2.1.29-fix-libdir.diff   |  20 ---
 net-mail/mailman/mailman-2.1.29-r3.ebuild          | 169 --------------------
 net-mail/mailman/mailman-2.1.29-r4.ebuild          | 172 ---------------------
 4 files changed, 362 deletions(-)

Comment 10 Sam James archtester

2020-07-27 03:18:09 UTC

XSS so noglsa.

Closing.