Your message dated Wed, 14 Feb 2018 21:17:20 +0000 with message-id <e1em4qa-000ecu...@fasolo.debian.org> and subject line Bug#888201: fixed in mailman 1:2.1.23-1+deb9u2 has caused the Debian Bug report #888201, regarding mailman: CVE-2018-5950 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 888201: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888201 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: mailman Version: 1:2.1.25-1 Severity: grave Tags: security upstream Hi, the following vulnerability was published for mailman, filling for now as grave since no details on the impact nor the fix is public, cf. [1], where it states: > An XSS vulnerability in the Mailman 2.1 web UI has been reported and > assigned CVE-2018-5950 which is not yet public. > > I plan to release Mailman 2.1.26 along with a patch for older releases > to fix this issue on Feb 4, 2018. At that time, full details of the > vulnerability will be public. > > This is advance notice of the upcoming release and patch for those that > need a week or two to prepare. The patch will be small and only affect > one module. CVE-2018-5950[0]: | Cross-site scripting (XSS) vulnerability in the web UI in Mailman | before 2.1.26 allows remote attackers to inject arbitrary web script | or HTML via unspecified vectors. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-5950 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5950 [1] https://www.mail-archive.com/mailman-users@python.org/msg70375.html Please adjust the affected versions in the BTS as needed, once more details are known. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: mailman Source-Version: 1:2.1.23-1+deb9u2 We believe that the bug you reported is fixed in the latest version of mailman, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 888...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thijs Kinkhorst <th...@debian.org> (supplier of updated mailman package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 08 Feb 2018 07:54:28 +0100 Source: mailman Binary: mailman Architecture: source amd64 Version: 1:2.1.23-1+deb9u2 Distribution: stretch-security Urgency: high Maintainer: Mailman for Debian <pkg-mailman-hack...@lists.alioth.debian.org> Changed-By: Thijs Kinkhorst <th...@debian.org> Description: mailman - Powerful, web-based mailing list manager Closes: 888201 Changes: mailman (1:2.1.23-1+deb9u2) stretch-security; urgency=high . * CVE-2018-5950: XSS and information leak in user options. (Closes: #888201) Checksums-Sha1: a4fd22e8751bfa4e6a824d0f23536f1d2eff9a9a 1800 mailman_2.1.23-1+deb9u2.dsc bee329ca989fc4e217fc5cdb814a1a4ecde79615 9290881 mailman_2.1.23.orig.tar.gz 44ca0103fa0ba36632be16b9cafe362d72897b7f 102836 mailman_2.1.23-1+deb9u2.debian.tar.xz 6e941845c135950d1a95ebffcb695131669eaa79 19232 mailman-dbgsym_2.1.23-1+deb9u2_amd64.deb 9e4589da848ff6875f6fb061f4b9c738bbf7e4e0 6743 mailman_2.1.23-1+deb9u2_amd64.buildinfo 2db8fd3855de65de02d1750ef065dabbc099288c 4466422 mailman_2.1.23-1+deb9u2_amd64.deb Checksums-Sha256: 5a54f221827d4625cebf27c85c836cf9ff50f7f3189b99052364d8640c1cce4f 1800 mailman_2.1.23-1+deb9u2.dsc b022ca6f8534621c9dbe50c983948688bc4623214773b580c2c78e4a7ae43e69 9290881 mailman_2.1.23.orig.tar.gz 23f3165bf7157644e0de2999a7951accd9bd8f1f222e6e77ab93b602e1189aea 102836 mailman_2.1.23-1+deb9u2.debian.tar.xz 85c519c176bdef86927909fba9f2255bfedc2702075dd1f915253e2300423b1f 19232 mailman-dbgsym_2.1.23-1+deb9u2_amd64.deb 8893c4e15d887a2f9b0d1485b8767f1b1f7796d47d772404ea8122aeb11821f0 6743 mailman_2.1.23-1+deb9u2_amd64.buildinfo eab844b20c2e7e6eab5ba84af0cbee276b2da1bfe19de66693bcd7a5ed5dc3c9 4466422 mailman_2.1.23-1+deb9u2_amd64.deb Files: 410c5d780329d7fda9e9353dc82adfd7 1800 mail optional mailman_2.1.23-1+deb9u2.dsc ceb2d8427e29f4e69b2505423ffeb60b 9290881 mail optional mailman_2.1.23.orig.tar.gz 2cb1b2367c9b5a1365de3e41225b5a02 102836 mail optional mailman_2.1.23-1+deb9u2.debian.tar.xz cc87f3da9d179a456557a3c01c5f15e1 19232 debug extra mailman-dbgsym_2.1.23-1+deb9u2_amd64.deb 7af4bac97665aef8f1982698e3869a66 6743 mail optional mailman_2.1.23-1+deb9u2_amd64.buildinfo 972a0f10bc6c43faccf525da94151cc8 4466422 mail optional mailman_2.1.23-1+deb9u2_amd64.deb -----BEGIN PGP SIGNATURE----- iQEuBAEBCAAYBQJafIN/ERx0aGlqc0BkZWJpYW4ub3JnAAoJEFb2GnlAHawEKEYH /R4Bxx2myRFxupKjuAjjf0fVpid+GiBoTambWlV5tTfRBkVI/FbJs9QDJeRIgtu1 BZ979lPn+k2vSF0HNYzEiRrPMVPNVNUsq9XLzAZiIzMeaNmaIv9Vp2EWr3FjCE/c W2PcXnB5q4jIHVmcU0e5/KcgvifWXufWlDpNQucWb7e4R2VMWjXowDgtmKZDCtY+ Lk1D4qJw3dC92K9sRwR55FOHsUxEfFUkTxWG0cNZa3kGKkbsFByVESlMZtSly8sp 5RwgnfePrDUhiIqdVOsgi2AeYZpL9Y5PJZQKStnROcBgS+rvf4fXtpeQk98JovQc A5MPxQFyw0KGX/fSblU0qoM= =sgIq -----END PGP SIGNATURE-----
--- End Message ---
