| Summary: | mailman new security issue CVE-2018-5950 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Zombie Ryushu <zombie_ryushu> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, has_procedure, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://www.debian.org/security/2018/dsa-4108 | ||
| Whiteboard: | mga6-64-ok | ||
| Source RPM: | mailman-2.1.24-1.mga7.src.rpm | CVE: | CVE-2018-5950 |
| Status comment: | Fixed upstream in 2.1.26 | ||
|
Description
Zombie Ryushu
2018-02-10 08:22:37 CET
Zombie Ryushu
2018-02-10 08:22:55 CET
CVE:
(none) =>
CVE-2018-5950 Debian advisory from February 9: https://www.debian.org/security/2018/dsa-4108 The issue is fixed upstream in 2.1.26. Mageia 5 and Mageia 6 are also affected. Assignee:
bugsquad =>
mrambo Ubuntu has issued an advisory for this on February 8: https://usn.ubuntu.com/usn/usn-3563-1/
David Walser
2018-02-10 22:11:43 CET
Status comment:
(none) =>
Fixed upstream in 2.1.26 Patched package uploaded for cauldron and Mageia 6. Advisory: ======================== Updated mailman package fixes security vulnerability: Calum Hutton and the Mailman team discovered a cross site scripting and information leak vulnerability in the user options page. A remote attacker could use a crafted URL to steal cookie information or to fish for whether a user is subscribed to a list with a private roster (CVE-2018-5950). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5950 https://www.debian.org/security/2018/dsa-4108 ======================== Updated packages in core/updates_testing: ======================== mailman-2.1.23-2.1.mga6 from mailman-2.1.23-2.1.mga6.src.rpm Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=8067#c24 Keywords:
(none) =>
has_procedure Testing complete mga6 64 Without configuring domain etc.. # urpmi mailman Looked for cli commands with # urpmf mailman | grep bin Before ------ # newlist --quiet --urlhost=localhost.localdomain --emailhost=localhost.localdomain test eeeemail@gmail.com Initial test password: # list_lists 2 matching mailing lists found: Mailman - Mailman site list Test - [no description available] # list_owners eeeemail@gmail.com root@localhost.localdomain After ----- # rmlist test Not removing archives. Reinvoke with -a to remove them. Removing list info # list_lists 1 matching mailing lists found: Mailman - Mailman site list # newlist --quiet --urlhost=localhost.localdomain --emailhost=localhost.localdomain test eeeemail@gmail.com Initial test password: # list_lists 2 matching mailing lists found: Mailman - Mailman site list Test - [no description available] # list_owners eeeemail@gmail.com root@localhost.localdomain Ensured the web interface available at http://localhost/mailman Cleaned up. # rmlist test Not removing archives. Reinvoke with -a to remove them. Removing list info # urpme mailman Whiteboard:
(none) =>
mga6-64-ok Validating. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0184.html Status:
NEW =>
RESOLVED |