Bug 22550 - mailman new security issue CVE-2018-5950
Summary: mailman new security issue CVE-2018-5950
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://www.debian.org/security/2018/...
Whiteboard: mga6-64-ok
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2018-02-10 08:22 CET by Zombie Ryushu
Modified: 2018-03-29 23:01 CEST (History)
1 user (show)

See Also:
Source RPM: mailman-2.1.24-1.mga7.src.rpm
CVE: CVE-2018-5950
Status comment: Fixed upstream in 2.1.26


Attachments

Description Zombie Ryushu 2018-02-10 08:22:37 CET
Calum Hutton and the Mailman team discovered a cross site scripting and information leak vulnerability in the user options page. A remote attacker could use a crafted URL to steal cookie information or to fish for whether a user is subscribed to a list with a private roster.

 CVE-2018-5950
Zombie Ryushu 2018-02-10 08:22:55 CET

CVE: (none) => CVE-2018-5950

Comment 1 David Walser 2018-02-10 21:02:26 CET
Debian advisory from February 9:
https://www.debian.org/security/2018/dsa-4108

The issue is fixed upstream in 2.1.26.

Mageia 5 and Mageia 6 are also affected.

Assignee: bugsquad => mrambo
Summary: DSA-4108-1 mailman -- security update CVE-2018-5950 => mailman new security issue CVE-2018-5950
Source RPM: mailman => mailman-2.1.24-1.mga7.src.rpm
Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 2 David Walser 2018-02-10 21:14:00 CET
Ubuntu has issued an advisory for this on February 8:
https://usn.ubuntu.com/usn/usn-3563-1/
David Walser 2018-02-10 22:11:43 CET

Status comment: (none) => Fixed upstream in 2.1.26

Comment 3 Mike Rambo 2018-02-13 15:46:16 CET
Patched package uploaded for cauldron and Mageia 6.

Advisory:
========================

Updated mailman package fixes security vulnerability:

Calum Hutton and the Mailman team discovered a cross site scripting and information leak vulnerability in the user options page. A remote attacker could use a crafted URL to steal cookie information or to fish for whether a user is subscribed to a list with a private roster (CVE-2018-5950).


References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5950
https://www.debian.org/security/2018/dsa-4108
========================

Updated packages in core/updates_testing:
========================
mailman-2.1.23-2.1.mga6

from mailman-2.1.23-2.1.mga6.src.rpm


Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=8067#c24

Whiteboard: MGA6TOO, MGA5TOO => (none)
Assignee: mrambo => qa-bugs
Version: Cauldron => 6
Keywords: (none) => has_procedure

Comment 4 claire robinson 2018-02-28 17:14:17 CET
Advisory uploaded.

Keywords: (none) => advisory

Comment 5 claire robinson 2018-03-29 18:24:01 CEST
Testing complete mga6 64

Without configuring domain etc..

# urpmi mailman

Looked for cli commands with
# urpmf mailman | grep bin


Before
------
# newlist --quiet --urlhost=localhost.localdomain --emailhost=localhost.localdomain test eeeemail@gmail.com
Initial test password: 

# list_lists
2 matching mailing lists found:
    Mailman - Mailman site list
       Test - [no description available]

# list_owners
eeeemail@gmail.com
root@localhost.localdomain


After
-----
# rmlist test
Not removing archives.  Reinvoke with -a to remove them.
Removing list info

# list_lists
1 matching mailing lists found:
    Mailman - Mailman site list

# newlist --quiet --urlhost=localhost.localdomain --emailhost=localhost.localdomain test eeeemail@gmail.com
Initial test password: 

# list_lists
2 matching mailing lists found:
    Mailman - Mailman site list
       Test - [no description available]

# list_owners
eeeemail@gmail.com
root@localhost.localdomain

Ensured the web interface available at http://localhost/mailman

Cleaned up.

# rmlist test
Not removing archives.  Reinvoke with -a to remove them.
Removing list info

# urpme mailman

Whiteboard: (none) => mga6-64-ok

Comment 6 claire robinson 2018-03-29 18:24:27 CEST
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2018-03-29 23:01:17 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0184.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.