Cross-site scripting vulnerability in Mailman 2.1.26 and earlier allows
remote authenticated attackers to inject arbitrary web script or HTML via
An issue was discovered in GNU Mailman before 2.1.28. A crafted URL can
cause arbitrary text to be displayed on a web page from a trusted site.
Any chance of getting mailman 2.1.29 into the portage tree?
thanks and cheers
I committed 2.1.29 now. (CVE-2018-0618 looks like a legit issue, CVE-2018-13796 however I'd hardly call a vuln.)
I think this can go stable.
@arches, please stabilize.
GLSA Vote: Yes
New GLSA Request filed.
PPC please continue stabilization.
@maintainers, please drop vulnerable.
The bug has been referenced in the following commit(s):
Author: Hanno <firstname.lastname@example.org>
AuthorDate: 2019-04-08 14:08:29 +0000
Commit: Hanno <email@example.com>
CommitDate: 2019-04-08 14:09:01 +0000
net-mail/mailman: Remove vulnerable version.
Signed-off-by: Hanno Boeck <firstname.lastname@example.org>
Package-Manager: Portage-2.3.62, Repoman-2.3.12
net-mail/mailman/Manifest | 1 -
net-mail/mailman/mailman-2.1.26.ebuild | 167 ---------------------------------
2 files changed, 168 deletions(-)
This issue was resolved and addressed in
GLSA 201904-10 at https://security.gentoo.org/glsa/201904-10
by GLSA coordinator Aaron Bauman (b-man).