Bug 26253 - mailman new XSS security issue (CVE-2020-12137) and arbitrary content injection issue (CVE-2020-12108)
Summary: mailman new XSS security issue (CVE-2020-12137) and arbitrary content injecti...
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-25 13:04 CET by David Walser
Modified: 2020-05-13 17:11 CEST (History)
3 users (show)

See Also:
Source RPM: mailman-2.1.29-2.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-02-25 13:04:48 CET
A security issue has been fixed upstream in mailman 2.1.30rc1:
https://www.openwall.com/lists/oss-security/2020/02/24/2

Mailman 2.1.30 should be out soon:
https://www.openwall.com/lists/oss-security/2020/02/24/3

However, Cauldron should be switched to 3.x because of Python.

Mageia 7 is also affected.
David Walser 2020-02-25 13:05:06 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-02-25 19:43:01 CET
No official maintainer, so assigning globally. CC'ing Mike who has dealt with this pkg in the distant past.

Assignee: bugsquad => pkg-bugs
CC: (none) => mrambo

David Walser 2020-03-19 14:50:30 CET

Status comment: (none) => Fixed upstream in 2.1.30rc1

Comment 2 David GEIGER 2020-04-14 06:39:11 CEST
Done for mga7 with mailman 2.1.30!

CC: (none) => geiger.david68210

Comment 3 David Walser 2020-04-14 16:41:41 CEST
Cauldron also needs to be updated.
Comment 4 David Walser 2020-04-14 16:44:36 CEST
2.1.30 release announcement:
https://mail.python.org/pipermail/mailman-announce/2020-April/000250.html

Relevant bit for this bug:
    - Scrubbed application/octet-stream MIME parts will now be given a
      .bin extension instead of .obj.

Status comment: Fixed upstream in 2.1.30rc1 => (none)

Comment 5 David Walser 2020-04-14 16:47:08 CEST
Latest upstream is 3.3.1rc1.  Cauldron should move to 3.3.x:
https://mailman.readthedocs.io/en/latest/src/mailman/docs/NEWS.html

Status comment: (none) => Cauldron should be updated to 3.3.x

Comment 6 David Walser 2020-04-14 16:51:30 CEST
Saving advisory for the Mageia 7 update.

Advisory:
========================

Updated mailman package fixes security vulnerability:

Up to mailman 2.1.29 when sending a file without a file extension (or an
unknown file extension) then the file is stored in the list archive with the
file extension .obj. Most web servers will try to assign a mime type based on
the file extension and entries in /etc/mime.types, where .obj is usually not
specified. This means the web server will send it out without a mime type.
The browser will then try to guess the MIME type based on the file's content
(MIME-sniffing). If the content is HTML then it will execute any javascript
contained, leading to a potential cross-site scripting vulnerability.

The mailman package has been updated to version 2.1.30, fixing this bug and
other issues.  See the release announcement for details.

References:
https://www.openwall.com/lists/oss-security/2020/02/24/2
https://mail.python.org/pipermail/mailman-announce/2020-April/000250.html
========================

Updated packages in core/updates_testing:
========================
mailman-2.1.30-1.mga7

from mailman-2.1.30-1.mga7.src.rpm
Comment 7 David Walser 2020-04-24 22:16:03 CEST
CVE-2020-12137 has been assigned:
https://www.openwall.com/lists/oss-security/2020/04/24/3

Summary: mailman new XSS security issue => mailman new XSS security issue (CVE-2020-12137)

Comment 8 David Walser 2020-04-28 02:50:17 CEST
Debian has issued an advisory for this on April 26:
https://www.debian.org/security/2020/dsa-4664
Comment 9 David Walser 2020-04-30 19:16:31 CEST
Ubuntu has issued an advisory for this on April 29:
https://usn.ubuntu.com/4348-1/
Comment 10 David Walser 2020-05-09 17:06:24 CEST
Debian-LTS has issued an advisory on May 7:
https://www.debian.org/lts/security/2020/dla-2204

This new issue was fixed upstream in 2.1.31.

Summary: mailman new XSS security issue (CVE-2020-12137) => mailman new XSS security issue (CVE-2020-12137) and arbitrary content injection issue (CVE-2020-12108)
Severity: normal => major

Comment 11 David GEIGER 2020-05-10 07:35:12 CEST
mailman updated to latest stable release 2.1.33 for mga7!
Comment 12 David Walser 2020-05-10 17:15:26 CEST
Saving advisory for the Mageia 7 update.

Advisory:
========================

Updated mailman package fixes security vulnerability:

Up to mailman 2.1.29 when sending a file without a file extension (or an
unknown file extension) then the file is stored in the list archive with the
file extension .obj. Most web servers will try to assign a mime type based on
the file extension and entries in /etc/mime.types, where .obj is usually not
specified. This means the web server will send it out without a mime type.
The browser will then try to guess the MIME type based on the file's content
(MIME-sniffing). If the content is HTML then it will execute any javascript
contained, leading to a potential cross-site scripting vulnerability
(CVE-2020-12137).

/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content
Injection (CVE-2020-12108).

The mailman package has been updated to version 2.1.31, fixing these issues
and other bugs.  See the release announcement for details.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12108
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12137
https://www.openwall.com/lists/oss-security/2020/02/24/2
https://www.openwall.com/lists/oss-security/2020/04/24/3
https://mail.python.org/pipermail/mailman-announce/2020-April/000250.html
https://www.debian.org/lts/security/2020/dla-2204
========================

Updated packages in core/updates_testing:
========================
mailman-2.1.31-1.mga7

from mailman-2.1.31-1.mga7.src.rpm
Comment 13 David GEIGER 2020-05-10 18:56:26 CEST
Note that I pushed release 2.1.33 not 2.1.31.
Comment 14 David Walser 2020-05-10 18:58:44 CEST
Oops, thanks, let's try that again.  Apparently upstream stopped doing release announcements.  We still need to get Cauldron taken care of too (or drop the package in Cauldron if it's too much trouble).

Advisory:
========================

Updated mailman package fixes security vulnerability:

Up to mailman 2.1.29 when sending a file without a file extension (or an
unknown file extension) then the file is stored in the list archive with the
file extension .obj. Most web servers will try to assign a mime type based on
the file extension and entries in /etc/mime.types, where .obj is usually not
specified. This means the web server will send it out without a mime type.
The browser will then try to guess the MIME type based on the file's content
(MIME-sniffing). If the content is HTML then it will execute any javascript
contained, leading to a potential cross-site scripting vulnerability
(CVE-2020-12137).

/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content
Injection (CVE-2020-12108).

The mailman package has been updated to version 2.1.33, fixing these issues
and other bugs.  See the release announcement for details.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12108
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12137
https://www.openwall.com/lists/oss-security/2020/02/24/2
https://www.openwall.com/lists/oss-security/2020/04/24/3
https://mail.python.org/pipermail/mailman-announce/2020-April/000250.html
https://www.debian.org/lts/security/2020/dla-2204
========================

Updated packages in core/updates_testing:
========================
mailman-2.1.33-1.mga7

from mailman-2.1.33-1.mga7.src.rpm
Comment 15 David Walser 2020-05-11 22:42:38 CEST
mailman added to task-obsolete in SVN in Cauldron.

Assigning Mageia 7 update to QA.  See Comment 14.

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
Assignee: pkg-bugs => qa-bugs
Status comment: Cauldron should be updated to 3.3.x => (none)

Comment 16 Herman Viaene 2020-05-13 17:11:13 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref Bug 19287 Comment 6 and 7 for testing
Checked /usr/lib64/mailman/Mailman/mm_cfg.py and as I had already a FQDN, it is there, so I didn't have to change anything.
So proceeding:
# systemctl start httpd
# newlist testlist
Enter the email of the person running the list: herman.viaene@hotmail.be
Initial testlist password: 
Hit enter to notify testlist owner...

Here I get lost, because I did as Len before: used my hotmail account, but I have no idea what it means "notify testlist owner". That is certainly not an e-mail, nothing comes in (tested it with a regular mail: all OK).
I could open 
http://localhost/mailman/listinfo.cgi
but there is no list there, and I cann't create a new list: You are not authorized to create new mailing lists
Giving up for the moment.

CC: (none) => herman.viaene


Note You need to log in before you can comment on or make changes to this bug.