Bug 23409 - mailman new security issue CVE-2018-13796
Summary: mailman new security issue CVE-2018-13796
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2018-08-08 15:09 CEST by David Walser
Modified: 2018-09-21 18:27 CEST (History)
5 users (show)

See Also:
Source RPM: mailman-2.1.27-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-08-08 15:09:07 CEST
Fedora has issued an advisory on August 7:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QMI7UFFD7ZLOTUTAKJZPPN6H6ME47ECQ/

The issue is fixed upstream in 2.1.28 (2.1.29 is the latest).

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-08-08 15:09:14 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-08-08 19:29:11 CEST
Assigning to the registered maintainer.

Assignee: bugsquad => mrambo
CC: (none) => marja11

Comment 2 Mike Rambo 2018-08-09 15:07:31 CEST
Updated package uploaded for cauldron and Mageia 6.

Advisory:
========================

Updated mailman package fixes security vulnerability:

It was discovered that mailman prior to 2.1.29 mishandled URLs in Utils.py:GetPathPieces() which allowed attackers to display arbitrary text on trusted sites (CVE-2018-13796).


References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-13796
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QMI7UFFD7ZLOTUTAKJZPPN6H6ME47ECQ/
========================

Updated packages in core/updates_testing:
========================
mailman-2.1.29-1.mga6

from mailman-2.1.29-1.mga6.src.rpm


Testing procedure https://bugs.mageia.org/show_bug.cgi?id=22550#c5

Whiteboard: MGA6TOO => (none)
Assignee: mrambo => qa-bugs
Version: Cauldron => 6
Keywords: (none) => has_procedure

Comment 3 Herman Viaene 2018-08-20 14:53:38 CEST
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Following procedure given above, at CLI (after checking httpd is running):
# list_lists
1 matching mailing lists found:
    Mailman - Mailman site list
# newlist --quiet --urlhost=localhost.localdomain --emailhost=localhost.localdomain test hviaene@gmail.com
Initial test password: 
postalias: warning: inet_protocols: disabling IPv6 name/address support: Address family not supported by protocol
# list_lists
2 matching mailing lists found:
    Mailman - Mailman site list
       Test - [geen omschrijving beschikbaar]
# list_owners
hviaene@gmail.com
root@<myFQDN>
Ensured the web interface available at http://localhost/mailman
# rmlist test
Not removing archives.  Reinvoke with -a to remove them.
postalias: warning: inet_protocols: disabling IPv6 name/address support: Address family not supported by protocol
Removing list info
# list_lists
1 matching mailing lists found:
    Mailman - Mailman site list
# list_owners
root@<myFQDN>
Looks all OK to me

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Thomas Backlund 2018-09-02 20:32:49 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 4 Thomas Andrews 2018-09-21 04:41:50 CEST
Installed 64-bit mailman + dependencies, then updated the mailman package. All packages installed cleanly. 

Using Herman's tests to verify operation. Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2018-09-21 18:27:42 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0383.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.