Bug 23409

Summary: mailman new security issue CVE-2018-13796
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, herman.viaene, marja11, sysadmin-bugs, tmb
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK
Source RPM: mailman-2.1.27-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2018-08-08 15:09:07 CEST 
Fedora has issued an advisory on August 7:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QMI7UFFD7ZLOTUTAKJZPPN6H6ME47ECQ/

The issue is fixed upstream in 2.1.28 (2.1.29 is the latest).

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-08-08 15:09:14 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-08-08 19:29:11 CEST 
Assigning to the registered maintainer.

Assignee: bugsquad => mrambo
CC: (none) => marja11

Comment 2 Mike Rambo 2018-08-09 15:07:31 CEST 
Updated package uploaded for cauldron and Mageia 6.

Advisory:
========================

Updated mailman package fixes security vulnerability:

It was discovered that mailman prior to 2.1.29 mishandled URLs in Utils.py:GetPathPieces() which allowed attackers to display arbitrary text on trusted sites (CVE-2018-13796).


References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-13796
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QMI7UFFD7ZLOTUTAKJZPPN6H6ME47ECQ/
========================

Updated packages in core/updates_testing:
========================
mailman-2.1.29-1.mga6

from mailman-2.1.29-1.mga6.src.rpm


Testing procedure https://bugs.mageia.org/show_bug.cgi?id=22550#c5

Assignee: mrambo => qa-bugs
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
Keywords: (none) => has_procedure

Comment 3 Herman Viaene 2018-08-20 14:53:38 CEST 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Following procedure given above, at CLI (after checking httpd is running):
# list_lists
1 matching mailing lists found:
    Mailman - Mailman site list
# newlist --quiet --urlhost=localhost.localdomain --emailhost=localhost.localdomain test hviaene@gmail.com
Initial test password: 
postalias: warning: inet_protocols: disabling IPv6 name/address support: Address family not supported by protocol
# list_lists
2 matching mailing lists found:
    Mailman - Mailman site list
       Test - [geen omschrijving beschikbaar]
# list_owners
hviaene@gmail.com
root@<myFQDN>
Ensured the web interface available at http://localhost/mailman
# rmlist test
Not removing archives.  Reinvoke with -a to remove them.
postalias: warning: inet_protocols: disabling IPv6 name/address support: Address family not supported by protocol
Removing list info
# list_lists
1 matching mailing lists found:
    Mailman - Mailman site list
# list_owners
root@<myFQDN>
Looks all OK to me

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Thomas Backlund 2018-09-02 20:32:49 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 4 Thomas Andrews 2018-09-21 04:41:50 CEST 
Installed 64-bit mailman + dependencies, then updated the mailman package. All packages installed cleanly. 

Using Herman's tests to verify operation. Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2018-09-21 18:27:42 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0383.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED