Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 648116 (CVE-2018-5950) - <net-mail/mailman-2.1.26: XSS
Summary: <net-mail/mailman-2.1.26: XSS
Status: RESOLVED FIXED
Alias: CVE-2018-5950
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://launchpad.net/mailman/2.1/2.1.26
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-02-19 13:58 UTC by Thomas Stein
Modified: 2018-05-26 14:11 UTC (History)
3 users (show)

See Also:
Package list:
net-mail/mailman-2.1.26
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Stein 2018-02-19 13:58:54 UTC 
Hi Devs.
2.1.26 is a security update fixing an XSS.

   - An XSS vulnerability in the user options CGI could allow a crafted URL
      to execute arbitrary javascript in a user's browser. A related issue
      could expose information on a user's options page without requiring
      login. These are fixed. Thanks to Calum Hutton for the report.
      CVE-2018-5950 (LP: #1747209)



Reproducible: Always
Comment 1 Hanno Böck gentoo-dev 2018-02-21 11:05:36 UTC 
Bumped, no other changes.

Security: I think we can stabilize.
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-14 22:30:55 UTC 
@Arches please test and mark stable mailman-2.1.26
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-03-15 11:14:04 UTC 
amd64 stable
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2018-03-18 00:44:35 UTC 
x86 stable
Comment 5 ernsteiswuerfel archtester 2018-05-14 18:34:22 UTC 
Looking good on ppc.

# cat mailman-648116.report 
USE tests started on Mo 14. Mai 20:19:30 CEST 2018

 FEATURES= test succeeded for =net-mail/mailman-2.1.26
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-05-26 12:47:46 UTC 
ppc stable
Comment 7 Larry the Git Cow gentoo-dev 2018-05-26 14:11:19 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5e91348631831deb8af9b0b1a3a99a174eb743e7

commit 5e91348631831deb8af9b0b1a3a99a174eb743e7
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-05-26 14:11:07 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-05-26 14:11:07 +0000

    net-mail/mailman: drop vulnerable
    
    Bug: https://bugs.gentoo.org/648116
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 net-mail/mailman/Manifest              |   1 -
 net-mail/mailman/mailman-2.1.24.ebuild | 167 ---------------------------------
 2 files changed, 168 deletions(-)
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2018-05-26 14:11:37 UTC 
GLSA Vote: No