Hi Devs. 2.1.26 is a security update fixing an XSS. - An XSS vulnerability in the user options CGI could allow a crafted URL to execute arbitrary javascript in a user's browser. A related issue could expose information on a user's options page without requiring login. These are fixed. Thanks to Calum Hutton for the report. CVE-2018-5950 (LP: #1747209) Reproducible: Always
Bumped, no other changes. Security: I think we can stabilize.
@Arches please test and mark stable mailman-2.1.26
amd64 stable
x86 stable
Looking good on ppc. # cat mailman-648116.report USE tests started on Mo 14. Mai 20:19:30 CEST 2018 FEATURES= test succeeded for =net-mail/mailman-2.1.26
ppc stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5e91348631831deb8af9b0b1a3a99a174eb743e7 commit 5e91348631831deb8af9b0b1a3a99a174eb743e7 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-05-26 14:11:07 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-05-26 14:11:07 +0000 net-mail/mailman: drop vulnerable Bug: https://bugs.gentoo.org/648116 Package-Manager: Portage-2.3.40, Repoman-2.3.9 net-mail/mailman/Manifest | 1 - net-mail/mailman/mailman-2.1.24.ebuild | 167 --------------------------------- 2 files changed, 168 deletions(-)
GLSA Vote: No