CVE-2020-15011: GNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login page.
Maintainer, please bump to 2.1.33.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c1e931a314384750dc97a87fb0b870f805cafdbb commit c1e931a314384750dc97a87fb0b870f805cafdbb Author: Hanno Böck <hanno@gentoo.org> AuthorDate: 2020-06-26 09:38:17 +0000 Commit: Hanno Böck <hanno@gentoo.org> CommitDate: 2020-06-26 09:38:17 +0000 net-mail/mailman: Version bump. Remove patch applied upstream. Fixes security bug CVE-2020-15011. Bug: https://bugs.gentoo.org/729468 Signed-off-by: Hanno Böck <hanno@gentoo.org> Package-Manager: Portage-2.3.103, Repoman-2.3.23 net-mail/mailman/Manifest | 1 + net-mail/mailman/mailman-2.1.33.ebuild | 169 +++++++++++++++++++++++++++++++++ 2 files changed, 170 insertions(+)
Let us know when ready to stable.
You can go ahead with stabilizing.
(In reply to Hanno Böck from comment #4) > You can go ahead with stabilizing. Sorry, I'd missed this! Going ahead.
x86 stable
ppc stable
amd64 stable. Please cleanup.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a60bfe761b3f5eb9cf5551f753d9447a5d080593 commit a60bfe761b3f5eb9cf5551f753d9447a5d080593 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-07-27 02:35:55 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-07-27 03:15:19 +0000 net-mail/mailman: security cleanup Closes: https://bugs.gentoo.org/729468 Package-Manager: Portage-3.0.0, Repoman-2.3.23 Signed-off-by: Sam James <sam@gentoo.org> net-mail/mailman/Manifest | 1 - .../mailman/files/mailman-2.1.29-fix-libdir.diff | 20 --- net-mail/mailman/mailman-2.1.29-r3.ebuild | 169 -------------------- net-mail/mailman/mailman-2.1.29-r4.ebuild | 172 --------------------- 4 files changed, 362 deletions(-)
XSS so noglsa. Closing.