CVE-2018-0618 (https://nvd.nist.gov/vuln/detail/CVE-2018-0618): Cross-site scripting vulnerability in Mailman 2.1.26 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. CVE-2018-13796 (https://nvd.nist.gov/vuln/detail/CVE-2018-13796): An issue was discovered in GNU Mailman before 2.1.28. A crafted URL can cause arbitrary text to be displayed on a web page from a trusted site.
Any chance of getting mailman 2.1.29 into the portage tree? thanks and cheers t.
I committed 2.1.29 now. (CVE-2018-0618 looks like a legit issue, CVE-2018-13796 however I'd hardly call a vuln.)
Thanks Hanno.
I think this can go stable.
@arches, please stabilize.
amd64 stable
x86 stable
GLSA Vote: Yes New GLSA Request filed. PPC please continue stabilization.
ppc stable
@maintainers, please drop vulnerable.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=70805405dd792848e1fdb6926ac3ce236d88947f commit 70805405dd792848e1fdb6926ac3ce236d88947f Author: Hanno <hanno@gentoo.org> AuthorDate: 2019-04-08 14:08:29 +0000 Commit: Hanno <hanno@gentoo.org> CommitDate: 2019-04-08 14:09:01 +0000 net-mail/mailman: Remove vulnerable version. Bug: https://bugs.gentoo.org/662902 Signed-off-by: Hanno Boeck <hanno@gentoo.org> Package-Manager: Portage-2.3.62, Repoman-2.3.12 net-mail/mailman/Manifest | 1 - net-mail/mailman/mailman-2.1.26.ebuild | 167 --------------------------------- 2 files changed, 168 deletions(-)
This issue was resolved and addressed in GLSA 201904-10 at https://security.gentoo.org/glsa/201904-10 by GLSA coordinator Aaron Bauman (b-man).