A security issue has been fixed upstream in mailman 2.1.30rc1: https://www.openwall.com/lists/oss-security/2020/02/24/2 Mailman 2.1.30 should be out soon: https://www.openwall.com/lists/oss-security/2020/02/24/3 However, Cauldron should be switched to 3.x because of Python. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
No official maintainer, so assigning globally. CC'ing Mike who has dealt with this pkg in the distant past.
CC: (none) => mramboAssignee: bugsquad => pkg-bugs
Status comment: (none) => Fixed upstream in 2.1.30rc1
Done for mga7 with mailman 2.1.30!
CC: (none) => geiger.david68210
Cauldron also needs to be updated.
2.1.30 release announcement: https://mail.python.org/pipermail/mailman-announce/2020-April/000250.html Relevant bit for this bug: - Scrubbed application/octet-stream MIME parts will now be given a .bin extension instead of .obj.
Status comment: Fixed upstream in 2.1.30rc1 => (none)
Latest upstream is 3.3.1rc1. Cauldron should move to 3.3.x: https://mailman.readthedocs.io/en/latest/src/mailman/docs/NEWS.html
Status comment: (none) => Cauldron should be updated to 3.3.x
Saving advisory for the Mageia 7 update. Advisory: ======================== Updated mailman package fixes security vulnerability: Up to mailman 2.1.29 when sending a file without a file extension (or an unknown file extension) then the file is stored in the list archive with the file extension .obj. Most web servers will try to assign a mime type based on the file extension and entries in /etc/mime.types, where .obj is usually not specified. This means the web server will send it out without a mime type. The browser will then try to guess the MIME type based on the file's content (MIME-sniffing). If the content is HTML then it will execute any javascript contained, leading to a potential cross-site scripting vulnerability. The mailman package has been updated to version 2.1.30, fixing this bug and other issues. See the release announcement for details. References: https://www.openwall.com/lists/oss-security/2020/02/24/2 https://mail.python.org/pipermail/mailman-announce/2020-April/000250.html ======================== Updated packages in core/updates_testing: ======================== mailman-2.1.30-1.mga7 from mailman-2.1.30-1.mga7.src.rpm
CVE-2020-12137 has been assigned: https://www.openwall.com/lists/oss-security/2020/04/24/3
Summary: mailman new XSS security issue => mailman new XSS security issue (CVE-2020-12137)
Debian has issued an advisory for this on April 26: https://www.debian.org/security/2020/dsa-4664
Ubuntu has issued an advisory for this on April 29: https://usn.ubuntu.com/4348-1/
Debian-LTS has issued an advisory on May 7: https://www.debian.org/lts/security/2020/dla-2204 This new issue was fixed upstream in 2.1.31.
Summary: mailman new XSS security issue (CVE-2020-12137) => mailman new XSS security issue (CVE-2020-12137) and arbitrary content injection issue (CVE-2020-12108)Severity: normal => major
mailman updated to latest stable release 2.1.33 for mga7!
Saving advisory for the Mageia 7 update. Advisory: ======================== Updated mailman package fixes security vulnerability: Up to mailman 2.1.29 when sending a file without a file extension (or an unknown file extension) then the file is stored in the list archive with the file extension .obj. Most web servers will try to assign a mime type based on the file extension and entries in /etc/mime.types, where .obj is usually not specified. This means the web server will send it out without a mime type. The browser will then try to guess the MIME type based on the file's content (MIME-sniffing). If the content is HTML then it will execute any javascript contained, leading to a potential cross-site scripting vulnerability (CVE-2020-12137). /options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection (CVE-2020-12108). The mailman package has been updated to version 2.1.31, fixing these issues and other bugs. See the release announcement for details. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12108 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12137 https://www.openwall.com/lists/oss-security/2020/02/24/2 https://www.openwall.com/lists/oss-security/2020/04/24/3 https://mail.python.org/pipermail/mailman-announce/2020-April/000250.html https://www.debian.org/lts/security/2020/dla-2204 ======================== Updated packages in core/updates_testing: ======================== mailman-2.1.31-1.mga7 from mailman-2.1.31-1.mga7.src.rpm
Note that I pushed release 2.1.33 not 2.1.31.
Oops, thanks, let's try that again. Apparently upstream stopped doing release announcements. We still need to get Cauldron taken care of too (or drop the package in Cauldron if it's too much trouble). Advisory: ======================== Updated mailman package fixes security vulnerability: Up to mailman 2.1.29 when sending a file without a file extension (or an unknown file extension) then the file is stored in the list archive with the file extension .obj. Most web servers will try to assign a mime type based on the file extension and entries in /etc/mime.types, where .obj is usually not specified. This means the web server will send it out without a mime type. The browser will then try to guess the MIME type based on the file's content (MIME-sniffing). If the content is HTML then it will execute any javascript contained, leading to a potential cross-site scripting vulnerability (CVE-2020-12137). /options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection (CVE-2020-12108). The mailman package has been updated to version 2.1.33, fixing these issues and other bugs. See the release announcement for details. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12108 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12137 https://www.openwall.com/lists/oss-security/2020/02/24/2 https://www.openwall.com/lists/oss-security/2020/04/24/3 https://mail.python.org/pipermail/mailman-announce/2020-April/000250.html https://www.debian.org/lts/security/2020/dla-2204 ======================== Updated packages in core/updates_testing: ======================== mailman-2.1.33-1.mga7 from mailman-2.1.33-1.mga7.src.rpm
mailman added to task-obsolete in SVN in Cauldron. Assigning Mageia 7 update to QA. See Comment 14.
Assignee: pkg-bugs => qa-bugsVersion: Cauldron => 7Status comment: Cauldron should be updated to 3.3.x => (none)Whiteboard: MGA7TOO => (none)
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref Bug 19287 Comment 6 and 7 for testing Checked /usr/lib64/mailman/Mailman/mm_cfg.py and as I had already a FQDN, it is there, so I didn't have to change anything. So proceeding: # systemctl start httpd # newlist testlist Enter the email of the person running the list: herman.viaene@hotmail.be Initial testlist password: Hit enter to notify testlist owner... Here I get lost, because I did as Len before: used my hotmail account, but I have no idea what it means "notify testlist owner". That is certainly not an e-mail, nothing comes in (tested it with a regular mail: all OK). I could open http://localhost/mailman/listinfo.cgi but there is no list there, and I cann't create a new list: You are not authorized to create new mailing lists Giving up for the moment.
CC: (none) => herman.viaene
Installed, enabled and started mailman.service I already have fqdn setup along with postfix and apache. As root ran mmsitepass to generate an initial password, sent to my user id as configured in postfix. Used firefox at http://i7v.hodgins.homeip.net/mailman/admin.cgi/mailman with the password from the mail message to confirm mailman is working. Used http://i7v.hodgins.homeip.net/mailman/admin.cgi/mailman/passwords to set all passwords to my user password. Installed the update, restarted mailman.service to be sure the updated program is in use, and confirmed http://i7v.hodgins.homeip.net/mailman/admin.cgi/mailman is still working. Did not try to test the security fix, just that the program is still working, and able to subscribe to the mailman list.
Whiteboard: (none) => MGA7-32-OKKeywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
This update also fixes CVE-2020-15011. Debian-LTS has issued an advisory for this on June 30: https://www.debian.org/lts/security/2020/dla-2265 Advisory: ======================== Updated mailman package fixes security vulnerability: Up to mailman 2.1.29 when sending a file without a file extension (or an unknown file extension) then the file is stored in the list archive with the file extension .obj. Most web servers will try to assign a mime type based on the file extension and entries in /etc/mime.types, where .obj is usually not specified. This means the web server will send it out without a mime type. The browser will then try to guess the MIME type based on the file's content (MIME-sniffing). If the content is HTML then it will execute any javascript contained, leading to a potential cross-site scripting vulnerability (CVE-2020-12137). /options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection (CVE-2020-12108). GNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login page (CVE-2020-15011). The mailman package has been updated to version 2.1.33, fixing these issues and other bugs. See the release announcements for details. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12108 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12137 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15011 https://www.openwall.com/lists/oss-security/2020/02/24/2 https://www.openwall.com/lists/oss-security/2020/04/24/3 https://mail.python.org/pipermail/mailman-announce/2020-April/000250.html https://mail.python.org/archives/list/mailman-announce@python.org/thread/SYBIZ3MNSQZLKN6PVKO7ZKR7QMOBMS45/ https://www.debian.org/lts/security/2020/dla-2204 https://www.debian.org/lts/security/2020/dla-2265
Summary: mailman new XSS security issue (CVE-2020-12137) and arbitrary content injection issue (CVE-2020-12108) => mailman new XSS security issue (CVE-2020-12137) and arbitrary content injection issues (CVE-2020-12108, CVE-2020-15011)
CC: (none) => mageiaKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0276.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED