Summary: | <net-mail/mailman-2.1.20: Path traversal vulnerability (CVE-2015-2775) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | hanno, net-mail+disabled |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://mail.python.org/pipermail/mailman-announce/2015-March/000207.html | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2015-03-30 15:23:24 UTC
Bumped, please stabilize mailman-2.1.20, target keywords: KEYWORDS="amd64 ppc x86" This is upstream's description of the vuln: - A path traversal vulnerability has been discovered and fixed. This vulnerability is only exploitable by a local user on a Mailman server where the suggested Exim transport, the Postfix postfix_to_mailman.py transport or some other programmatic MTA delivery not using aliases is employed. CVE-2015-2775 (LP: #1437145) Stable for amd64/ppc/x86 Arches, Thank you for your work. Maintainer(s), please drop the vulnerable version(s). GLSA Vote: No CVE-2015-2775 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2775): Directory traversal vulnerability in GNU Mailman before 2.1.20, when not using a static alias, allows remote attackers to execute arbitrary files via a .. (dot dot) in a list name. It has been 30 days+ since cleanup requested. Maintainer(s), please drop the vulnerable version(s). GLSA Vote: No cleanup done. Maintainer(s), Thank you for you for cleanup. |