[Secure-testing-team] Bug#888201: mailman: CVE-2018-5950
Salvatore Bonaccorso
carnil at debian.org
Tue Jan 23 21:26:06 UTC 2018
Source: mailman
Version: 1:2.1.25-1
Severity: grave
Tags: security upstream
Hi,
the following vulnerability was published for mailman, filling for now
as grave since no details on the impact nor the fix is public, cf.
[1], where it states:
> An XSS vulnerability in the Mailman 2.1 web UI has been reported and
> assigned CVE-2018-5950 which is not yet public.
>
> I plan to release Mailman 2.1.26 along with a patch for older releases
> to fix this issue on Feb 4, 2018. At that time, full details of the
> vulnerability will be public.
>
> This is advance notice of the upcoming release and patch for those that
> need a week or two to prepare. The patch will be small and only affect
> one module.
CVE-2018-5950[0]:
| Cross-site scripting (XSS) vulnerability in the web UI in Mailman
| before 2.1.26 allows remote attackers to inject arbitrary web script
| or HTML via unspecified vectors.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-5950
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5950
[1] https://www.mail-archive.com/mailman-users@python.org/msg70375.html
Please adjust the affected versions in the BTS as needed, once more
details are known.
Regards,
Salvatore
More information about the Secure-testing-team
mailing list