337095 – (CVE-2010-3089) net-mail/mailman: Multiple XSS Vulnerabilities (CVE-2010-3089)

Bug 337095 (CVE-2010-3089) - net-mail/mailman: Multiple XSS Vulnerabilities (CVE-2010-3089)

Summary: net-mail/mailman: Multiple XSS Vulnerabilities (CVE-2010-3089)

Status:	RESOLVED FIXED

Alias:	CVE-2010-3089

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://mail.python.org/pipermail/mail...
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2010-09-13 15:28 UTC by Tim Sammut (RETIRED)
Modified:	2010-11-21 17:00 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tim Sammut (RETIRED) gentoo-dev

2010-09-13 15:28:04 UTC

From $URL:

> I plan to release a Mailman 2.1.14 candidate release towards the end of
> next week (Sept 9 or 10). This release will have enhanced XSS defenses
> addressing two recently discovered vulnerabilities. Since release of the
> code will potentially expose the vulnerabilities, I plan to publish a
> patch against the 2.1.13 base with the fix before actually releasing the
> 2.1.14 candidate.

Patch available at:

http://mail.python.org/pipermail/mailman-announce/attachments/20100909/c9d893e6/attachment.txt

Comment 1 Tim Sammut (RETIRED) gentoo-dev

2010-09-13 20:26:52 UTC

CVE assignment per http://www.openwall.com/lists/oss-security/2010/09/13/5:

> There are two mailman vulns. fixed by the following patch:
> http://mail.python.org/pipermail/mailman-announce/2010-September/000151.html
> 
> Particular Red Hat Bugzilla entries are the following:
> 
> 	https://bugzilla.redhat.com/show_bug.cgi?id=631881

CVE-2010-3089 mailman XSS via list information HTML template


> 	https://bugzilla.redhat.com/show_bug.cgi?id=631859

CVE-2010-3090 mailman XSS in list information overview

Comment 2 Hanno Böck gentoo-dev

2010-09-13 23:11:09 UTC

I've committed 2.1.14_rc1 - I'm unsure if we want to have a rc version as stabilization-target, but I consider it not worth creating another .13-version (which has other issues as well).

Comment 3 Tim Sammut (RETIRED) gentoo-dev

2010-09-13 23:42:17 UTC

CVE-2010-3090 will be rejected per:

http://www.openwall.com/lists/oss-security/2010/09/13/12

Comment 4 GLSAMaker/CVETool Bot gentoo-dev

2010-09-25 16:37:25 UTC

CVE-2010-3089 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3089):
  Multiple cross-site scripting (XSS) vulnerabilities in GNU Mailman before
  2.1.14rc1 allow remote authenticated users to inject arbitrary web script or
  HTML via vectors involving (1) the list information field or (2) the list
  description field.

Comment 5 Tim Sammut (RETIRED) gentoo-dev

2010-10-01 20:50:48 UTC

Hi, Hanno.

It looks like 2.1.14 has been released.

http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/annotate/head:/NEWS

Is it an appropriate stabilization target?

Comment 6 Hanno Böck gentoo-dev

2010-10-04 19:17:56 UTC

mailman-2.1.14 in tree, please test and stabilize.

Comment 7 Markos Chandras (RETIRED) gentoo-dev

2010-10-06 08:09:54 UTC

amd64 done

Comment 8 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2010-10-06 14:50:45 UTC

x86 stable

Comment 9 Raúl Porcel (RETIRED) gentoo-dev

2010-10-10 17:09:50 UTC

sparc stable

Comment 10 Brent Baude (RETIRED) gentoo-dev

2010-10-15 12:48:59 UTC

ppc done

Comment 11 Tim Sammut (RETIRED) gentoo-dev

2010-10-15 13:16:37 UTC

Thanks, everyone.

GLSA Vote: No. This is a stored/persistent XSS but only for authenticated mailing list owners according to https://bugzilla.redhat.com/show_bug.cgi?id=631881.

Comment 12 Stefan Behte (RETIRED) gentoo-dev

2010-11-21 17:00:20 UTC

Agreed, closing noglsa.