Bug 23256

Summary: mailman new security issue CVE-2018-0618
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, marja11, sysadmin-bugs
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK
Source RPM: mailman-2.1.26-2.mga7.src.rpm CVE:
Status comment:

Description David Walser 2018-06-30 18:53:58 CEST 
openSUSE has issued an advisory today (June 30):
https://lists.opensuse.org/opensuse-updates/2018-06/msg00147.html

The issue is fixed upstream in 2.1.27.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-06-30 18:54:07 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-07-01 06:59:15 CEST 
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => mrambo

Comment 2 Mike Rambo 2018-07-02 20:46:03 CEST 
Updated packages built for cauldron and Mageia 6.

Advisory:
========================

Updated mailman package fixes security vulnerability:

It was discovered that mailman version prior to 2.1.27 contained a vulnerability where malicious list owners could inject evil scripts into listinfo pages (CVE-2018-0618).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-0618
https://lists.opensuse.org/opensuse-updates/2018-06/msg00147.html
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-0618.html
========================

Updated packages in core/updates_testing:
========================
mailman-2.1.27-1.mga6.x86_64.rpm

from mailman-2.1.27-1.mga6.src.rpm


Testing procedure https://bugs.mageia.org/show_bug.cgi?id=22550#c5

Version: Cauldron => 6
Assignee: mrambo => qa-bugs
Keywords: (none) => has_procedure
Whiteboard: MGA6TOO => (none)

Comment 3 Herman Viaene 2018-07-03 10:32:21 CEST 
MGA6-32 on IBM Thinkpad R50e MATE
No installation issues.
Running test as indicated above is all OK, but to be more complete:
- make sure httpd is running
- run the commands from bug 22550 but make sure that the newlist command is complete - last part of it is on the second line.
- before trying to run the webinterface, do
# systemctl start mailman
- to get to your testlist point to http://localhost/mailman/listinfo.cgi/test and click below on "Test administrative interface" to get further.

All works OK.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 4 Dave Hodgins 2018-07-11 22:51:34 CEST 
Advisory committed to svn. Validating the update.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 5 Mageia Robot 2018-07-11 23:48:31 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0313.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED