Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 662902 (CVE-2018-0618, CVE-2018-13796) - <net-mail/mailman-2.1.29: multiple vulnerabilities (CVE-2018-{0618,13796})
Summary: <net-mail/mailman-2.1.29: multiple vulnerabilities (CVE-2018-{0618,13796})
Alias: CVE-2018-0618, CVE-2018-13796
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa+ cve cleanup]
Depends on:
Reported: 2018-08-05 23:37 UTC by GLSAMaker/CVETool Bot
Modified: 2019-04-08 15:20 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: No
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-08-05 23:37:34 UTC
CVE-2018-0618 (
  Cross-site scripting vulnerability in Mailman 2.1.26 and earlier allows
  remote authenticated attackers to inject arbitrary web script or HTML via
  unspecified vectors.

CVE-2018-13796 (
  An issue was discovered in GNU Mailman before 2.1.28. A crafted URL can
  cause arbitrary text to be displayed on a web page from a trusted site.
Comment 1 Thomas Stein 2018-09-07 07:00:50 UTC
Any chance of getting mailman 2.1.29 into the portage tree?

thanks and cheers
Comment 2 Hanno Böck gentoo-dev 2018-09-07 10:58:05 UTC
I committed 2.1.29 now. (CVE-2018-0618 looks like a legit issue, CVE-2018-13796 however I'd hardly call a vuln.)
Comment 3 Thomas Stein 2018-09-07 11:01:01 UTC
Thanks Hanno.
Comment 4 Hanno Böck gentoo-dev 2018-10-07 08:32:40 UTC
I think this can go stable.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2019-03-26 20:57:12 UTC
@arches, please stabilize.
Comment 6 Agostino Sarubbo gentoo-dev 2019-03-27 20:04:59 UTC
amd64 stable
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2019-03-27 23:21:27 UTC
x86 stable
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2019-03-27 23:46:22 UTC
x86 stable
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2019-03-28 03:30:56 UTC
GLSA Vote: Yes
New GLSA Request filed.

PPC please continue stabilization.
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-08 06:09:29 UTC
ppc stable
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2019-04-08 13:44:30 UTC
@maintainers, please drop vulnerable.
Comment 12 Larry the Git Cow gentoo-dev 2019-04-08 14:09:13 UTC
The bug has been referenced in the following commit(s):

commit 70805405dd792848e1fdb6926ac3ce236d88947f
Author:     Hanno <>
AuthorDate: 2019-04-08 14:08:29 +0000
Commit:     Hanno <>
CommitDate: 2019-04-08 14:09:01 +0000

    net-mail/mailman: Remove vulnerable version.
    Signed-off-by: Hanno Boeck <>
    Package-Manager: Portage-2.3.62, Repoman-2.3.12

 net-mail/mailman/Manifest              |   1 -
 net-mail/mailman/mailman-2.1.26.ebuild | 167 ---------------------------------
 2 files changed, 168 deletions(-)
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2019-04-08 15:20:33 UTC
This issue was resolved and addressed in
 GLSA 201904-10 at
by GLSA coordinator Aaron Bauman (b-man).