Debian Bug report logs -
#903674
mailman: CVE-2018-13796: Arbitrary text injection vulnerability in Mailman CGIs
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>:
Bug#903674; Package src:mailman.
(Thu, 12 Jul 2018 19:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>.
(Thu, 12 Jul 2018 19:42:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mailman
Version: 1:2.1.23-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for mailman, details are not
yet published. The 2.1.28 release along with details will be on 23th
July 2018.
CVE-2018-13796[0]:
| Unspecified vulnerability in Mailman before 2.1.28 has unknown impact
| and attack vectors.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-13796
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13796
[1] https://mail.python.org/pipermail/mailman-users/2018-July/083536.html
[2] https://mail.python.org/pipermail/mailman-users/2018-July/083537.html
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Mon, 30 Jul 2018 17:15:08 GMT) (full text, mbox, link).
Changed Bug title to 'mailman: CVE-2018-13796: Arbitrary text injection vulnerability in Mailman CGIs' from 'mailman: CVE-2018-13796: (yet) unspecified vulnerability in mailman'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 02 Sep 2018 20:09:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>:
Bug#903674; Package src:mailman.
(Sun, 02 Sep 2018 20:45:16 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>.
(Sun, 02 Sep 2018 20:45:16 GMT) (full text, mbox, link).
Message #16 received at 903674@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 903674 + patch
Control: tags 903674 + pending
Dear maintainer,
I've prepared an NMU for mailman (versioned as 1:2.1.27-1.1) and
uploaded it to DELAYED/10. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[mailman-2.1.27-1.1-nmu.diff (text/x-diff, attachment)]
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 903674-submit@bugs.debian.org.
(Sun, 02 Sep 2018 20:45:16 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 903674-submit@bugs.debian.org.
(Sun, 02 Sep 2018 20:45:17 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Mon, 03 Sep 2018 19:39:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 03 Sep 2018 19:39:05 GMT) (full text, mbox, link).
Message #25 received at 903674-close@bugs.debian.org (full text, mbox, reply):
Source: mailman
Source-Version: 1:2.1.27-1.1
We believe that the bug you reported is fixed in the latest version of
mailman, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 903674@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated mailman package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 02 Sep 2018 22:23:45 +0200
Source: mailman
Binary: mailman
Architecture: source
Version: 1:2.1.27-1.1
Distribution: unstable
Urgency: medium
Maintainer: Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 903674
Description:
mailman - Web-based mailing list manager (legacy branch)
Changes:
mailman (1:2.1.27-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Arbitrary text injection vulnerability in Mailman CGIs (CVE-2018-13796)
(Closes: #903674)
Checksums-Sha1:
d3cbc18f71de7fc1f0877db423b395142e884e0e 2214 mailman_2.1.27-1.1.dsc
b0ce80e170f8ef52c09d3c594bbb719f2daa4e8e 100180 mailman_2.1.27-1.1.debian.tar.xz
Checksums-Sha256:
1ee2339351038be6491d2c7c334f248177652f9d21819c5c2338f0e853431952 2214 mailman_2.1.27-1.1.dsc
df7adcd428f0f11c3904a86415f78598d18c640f51dc91e531cd97933271b850 100180 mailman_2.1.27-1.1.debian.tar.xz
Files:
8b79baf0f2080635b8246c5739174c95 2214 mail optional mailman_2.1.27-1.1.dsc
51cb7afb9ab3bff9ad8c91f26d891e5b 100180 mail optional mailman_2.1.27-1.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAluMSCVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E6NgQAIioXNcgTSio3t82etitaqL6IB5BI89f
DhVcCapg714Sah7hSxZ1q44NXC9ixpQlgWmDu2IIMu54Z3VfEohjUZPs/TJR19Yf
vBGJ5PBnvbPnTtC97RciIyiaMMfVA0Ure4QINhKkUK3CkDTmLR+namhX/d1yU+Ph
WqvfXBHwDHKL+bAP6IojyquuRFImaav+L/jgjE5FIRIIs8PS1ILsZGaNHLGrNWI7
nDRX9yyRpot5kxXodrOMbLJqu+HLDL1itEJn+5WrOokbCpchLHTq0nmumOGC4m21
25RDhtyoPdJtE2jE4Q+qNdpzq/dTTjIlBqQyd/lAhBRl/piUrKwwNJ6EEV7IoXbs
lnmb53LBc6ZwXp/BMwhQMFOnniV+HR9gGW/tudSje6vqZ3RBIYEYC1tQc8e+/jfy
4DodEDtUMPDRDhKpHmKjS69uBxvZ1eBvGeNGMnIUKs6HpQaAeaycyZ1Yx2jrnjT1
ZnH825ro57dKw+RseBMqY0H3mAtMEayTUixwlVvgw0ks4wykJsolDjFSxYq/iT88
UfTRL6FqPwLRFb1KfeiW0KlcyC6x/QLZN94nSYkmLcnq39oS/5XATTYRAyE0N8FO
/NdzQIBVFsFMl42dEKv2Z+ULsKRO0n860FWcsgTirYcZXb0ksFSwkTJ+kZgPrx//
4zm0UC5xupKE
=a/j8
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Thu, 04 Oct 2018 19:18:15 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 04 Oct 2018 19:18:15 GMT) (full text, mbox, link).
Message #30 received at 903674-close@bugs.debian.org (full text, mbox, reply):
Source: mailman
Source-Version: 1:2.1.23-1+deb9u4
We believe that the bug you reported is fixed in the latest version of
mailman, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 903674@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated mailman package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 03 Sep 2018 22:00:38 +0200
Source: mailman
Binary: mailman
Architecture: source
Version: 1:2.1.23-1+deb9u4
Distribution: stretch
Urgency: medium
Maintainer: Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 903674
Description:
mailman - Powerful, web-based mailing list manager
Changes:
mailman (1:2.1.23-1+deb9u4) stretch; urgency=medium
.
* Non-maintainer upload.
* Arbitrary text injection vulnerability in Mailman CGIs (CVE-2018-13796)
(Closes: #903674)
Checksums-Sha1:
3012bc7ace1fe98067d70e670dfc45178303b0dc 2308 mailman_2.1.23-1+deb9u4.dsc
af347fe0a946afba8da9c6f214367bf0ee446221 104776 mailman_2.1.23-1+deb9u4.debian.tar.xz
Checksums-Sha256:
6643613999573df02a389901e731960d607fe3943ca35d21b5742090899802ea 2308 mailman_2.1.23-1+deb9u4.dsc
1640ba7df8a208386da341e964c6577fd43cd749627285a7f401d602ccbb851e 104776 mailman_2.1.23-1+deb9u4.debian.tar.xz
Files:
9e953d5621120d4c4915edc2904589dc 2308 mail optional mailman_2.1.23-1+deb9u4.dsc
e192389efc2a0e696fa288d029e2312d 104776 mail optional mailman_2.1.23-1+deb9u4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAluNlGdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EtdQQAJs7fSzri8piDWraU7zyM5JBVQOnhsSa
6EvcYjQx7g9rG3QbcTLjH5Xf2wFih47AINdzrLJ0xHjoIadeizI2CHWmRiHz5wAz
ug29YNgDoTcjhyXKTK4/OYMlGvIehEPPI91UHF9AsSfaELB0X2xoOiEBYY+wufON
TYuHQhzWmyh4SaUJPGd5zMZ+zqq9NSEPIyIiMxGYPuptFtMoxvW6/1SJvvnusti3
SFAGo15/rWjX38XFIFxynb39Hjl5yLh+ms1/epeei1Y5VV1qs5eHB59DGUQumx57
ovPEKdicgClZURN4vGQkfxQvbeUNR9Ow0250lPnVWiW+QCJPvchTnXWDpn6kW8Qo
h4oXdlSzQ7G9TQfeJcBrRPcyy9hIpHZjK3jkg+/NylT50XiRG+x7IhWMBBLJs5xz
zv4kUum/VMb/JAQo3SkszjGiLYLCIgoDOxtod3BbwdaABqg9uWtfOP0Q91Aw8ME6
hTiERGkpNhyrdxMQ0KHWN+IQTSlwq+KQKOCFeNAy4EfV1HmyKtkRuPz/PC78zIIQ
5pHkHsFMJNxDbD0MQ0bInjgcpdM0Wcr4tN/lF9QcA1T09tJEWGz7B+4CX5QCjc9B
I2KteXoFv2nRWZj/uOEg5OrFaEvuUy/KDvEyuM+E4whzpy2kd/KFVeHXrLtIBfP1
cn4VWRQvjn0U
=ue4b
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 02 Nov 2018 07:30:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:40:06 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon