Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 662902 (CVE-2018-0618, CVE-2018-13796)

Summary: <net-mail/mailman-2.1.29: multiple vulnerabilities (CVE-2018-{0618,13796})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: hanno, himbeere, net-mail+disabled
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa+ cve cleanup]
Package list:
=net-mail/mailman-2.1.29
 Runtime testing required: No

Description GLSAMaker/CVETool Bot gentoo-dev 2018-08-05 23:37:34 UTC 
CVE-2018-0618 (https://nvd.nist.gov/vuln/detail/CVE-2018-0618):
  Cross-site scripting vulnerability in Mailman 2.1.26 and earlier allows
  remote authenticated attackers to inject arbitrary web script or HTML via
  unspecified vectors.

CVE-2018-13796 (https://nvd.nist.gov/vuln/detail/CVE-2018-13796):
  An issue was discovered in GNU Mailman before 2.1.28. A crafted URL can
  cause arbitrary text to be displayed on a web page from a trusted site.
Comment 1 Thomas Stein 2018-09-07 07:00:50 UTC 
Any chance of getting mailman 2.1.29 into the portage tree?

thanks and cheers
t.
Comment 2 Hanno Böck gentoo-dev 2018-09-07 10:58:05 UTC 
I committed 2.1.29 now. (CVE-2018-0618 looks like a legit issue, CVE-2018-13796 however I'd hardly call a vuln.)
Comment 3 Thomas Stein 2018-09-07 11:01:01 UTC 
Thanks Hanno.
Comment 4 Hanno Böck gentoo-dev 2018-10-07 08:32:40 UTC 
I think this can go stable.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2019-03-26 20:57:12 UTC 
@arches, please stabilize.
Comment 6 Agostino Sarubbo gentoo-dev 2019-03-27 20:04:59 UTC 
amd64 stable
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2019-03-27 23:21:27 UTC 
x86 stable
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2019-03-27 23:46:22 UTC 
x86 stable
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2019-03-28 03:30:56 UTC 
GLSA Vote: Yes
New GLSA Request filed.

PPC please continue stabilization.
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-08 06:09:29 UTC 
ppc stable
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2019-04-08 13:44:30 UTC 
@maintainers, please drop vulnerable.
Comment 12 Larry the Git Cow gentoo-dev 2019-04-08 14:09:13 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=70805405dd792848e1fdb6926ac3ce236d88947f

commit 70805405dd792848e1fdb6926ac3ce236d88947f
Author:     Hanno <hanno@gentoo.org>
AuthorDate: 2019-04-08 14:08:29 +0000
Commit:     Hanno <hanno@gentoo.org>
CommitDate: 2019-04-08 14:09:01 +0000

    net-mail/mailman: Remove vulnerable version.
    
    Bug: https://bugs.gentoo.org/662902
    Signed-off-by: Hanno Boeck <hanno@gentoo.org>
    Package-Manager: Portage-2.3.62, Repoman-2.3.12

 net-mail/mailman/Manifest              |   1 -
 net-mail/mailman/mailman-2.1.26.ebuild | 167 ---------------------------------
 2 files changed, 168 deletions(-)
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2019-04-08 15:20:33 UTC 
This issue was resolved and addressed in
 GLSA 201904-10 at https://security.gentoo.org/glsa/201904-10
by GLSA coordinator Aaron Bauman (b-man).