openSUSE has issued an advisory today (June 30):
The issue is fixed upstream in 2.1.27.
Mageia 5 and Mageia 6 are also affected.
Assigning to the registered maintainer.
Updated packages built for cauldron and Mageia 6.
Updated mailman package fixes security vulnerability:
It was discovered that mailman version prior to 2.1.27 contained a vulnerability where malicious list owners could inject evil scripts into listinfo pages (CVE-2018-0618).
Updated packages in core/updates_testing:
Testing procedure https://bugs.mageia.org/show_bug.cgi?id=22550#c5
MGA6-32 on IBM Thinkpad R50e MATE
No installation issues.
Running test as indicated above is all OK, but to be more complete:
- make sure httpd is running
- run the commands from bug 22550 but make sure that the newlist command is complete - last part of it is on the second line.
- before trying to run the webinterface, do
# systemctl start mailman
- to get to your testlist point to http://localhost/mailman/listinfo.cgi/test and click below on "Test administrative interface" to get further.
All works OK.
Advisory committed to svn. Validating the update.
An update for this issue has been pushed to the Mageia Updates repository.