mailman: CVE-2018-5950

Related Vulnerabilities: CVE-2018-5950  

Debian Bug report logs - #888201
mailman: CVE-2018-5950

version graph

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 23 Jan 2018 21:27:02 UTC

Severity: grave

Tags: security, upstream

Found in versions mailman/1:2.1.25-1, mailman/1:2.1.18-1

Fixed in versions mailman/1:2.1.26-1, mailman/1:2.1.23-1+deb9u2, mailman/1:2.1.18-2+deb8u2

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://bugs.launchpad.net/mailman/+bug/1747209

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>:
Bug#888201; Package src:mailman. (Tue, 23 Jan 2018 21:27:04 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>. (Tue, 23 Jan 2018 21:27:04 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mailman: CVE-2018-5950
Date: Tue, 23 Jan 2018 22:26:06 +0100
Source: mailman
Version: 1:2.1.25-1
Severity: grave
Tags: security upstream

Hi,

the following vulnerability was published for mailman, filling for now
as grave since no details on the impact nor the fix is public, cf.
[1], where it states:

> An XSS vulnerability in the Mailman 2.1 web UI has been reported and
> assigned CVE-2018-5950 which is not yet public.
> 
> I plan to release Mailman 2.1.26 along with a patch for older releases
> to fix this issue on Feb 4, 2018. At that time, full details of the
> vulnerability will be public.
> 
> This is advance notice of the upcoming release and patch for those that
> need a week or two to prepare. The patch will be small and only affect
> one module.

CVE-2018-5950[0]:
| Cross-site scripting (XSS) vulnerability in the web UI in Mailman
| before 2.1.26 allows remote attackers to inject arbitrary web script
| or HTML via unspecified vectors.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-5950
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5950
[1] https://www.mail-archive.com/mailman-users@python.org/msg70375.html

Please adjust the affected versions in the BTS as needed, once more
details are known.

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>:
Bug#888201; Package src:mailman. (Thu, 01 Feb 2018 12:57:03 GMT) (full text, mbox, link).


Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>. (Thu, 01 Feb 2018 12:57:03 GMT) (full text, mbox, link).


Message #10 received at 888201@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: "Salvatore Bonaccorso" <carnil@debian.org>, 888201@bugs.debian.org
Subject: Re: Bug#888201: mailman: CVE-2018-5950
Date: Thu, 1 Feb 2018 13:46:05 +0100
>> I plan to release Mailman 2.1.26 along with a patch for older releases
>> to fix this issue on Feb 4, 2018. At that time, full details of the
>> vulnerability will be public.

I've reserved time on Sunday to in any case to sid when the fix is
released, and depending on the details/severity look into a security
upload.


Thijs



Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Sun, 04 Feb 2018 18:51:06 GMT) (full text, mbox, link).


Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 04 Feb 2018 18:51:06 GMT) (full text, mbox, link).


Message #15 received at 888201-close@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>
To: 888201-close@bugs.debian.org
Subject: Bug#888201: fixed in mailman 1:2.1.26-1
Date: Sun, 04 Feb 2018 18:49:54 +0000
Source: mailman
Source-Version: 1:2.1.26-1

We believe that the bug you reported is fixed in the latest version of
mailman, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 888201@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated mailman package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 04 Feb 2018 18:23:18 +0000
Source: mailman
Binary: mailman
Architecture: source amd64
Version: 1:2.1.26-1
Distribution: unstable
Urgency: medium
Maintainer: Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
 mailman    - Web-based mailing list manager (legacy branch)
Closes: 888201
Changes:
 mailman (1:2.1.26-1) unstable; urgency=medium
 .
   * New upstream release.
     - Fixes XSS in user options CGI (CVE-2018-5950, closes: #888201)
   * Document that this is the legacy branch of Mailman and that all
     major development is focused on Mailman 3 (package mailman3).
Checksums-Sha1:
 6064ab921656d86f270871f21f8487dc6e97d37b 1698 mailman_2.1.26-1.dsc
 13d457555cb1603419d49aed560bffad89a9550b 9264592 mailman_2.1.26.orig.tar.gz
 643189ee31c3901135a6e1df66f31d8dc103d060 101792 mailman_2.1.26-1.debian.tar.xz
 2b70c7685c59028c3d842d277931ad00d5df04e9 18524 mailman-dbgsym_2.1.26-1_amd64.deb
 a11293cfc9f84d951e2a98fa4f35d84ca59d7904 6286 mailman_2.1.26-1_amd64.buildinfo
 de0e0c8a50144c7940e19d649268b00f5fa60454 4446688 mailman_2.1.26-1_amd64.deb
Checksums-Sha256:
 70b7e3fbc76ade5407740339525e5ab2e531f4695b53cd1f4cc0c1fa54424094 1698 mailman_2.1.26-1.dsc
 240177e1ef561ede88d7b48283c3835f39bbd0b1ae19100d3520cbe43058339f 9264592 mailman_2.1.26.orig.tar.gz
 3f1f23deecf5fb08904227b87ce8146aa5167d2bcac0f6883325a102a2d18e59 101792 mailman_2.1.26-1.debian.tar.xz
 2f7059e09f831d96d71fed10231bf90ae94ebaf48a88ff738380ec6ea28fcd33 18524 mailman-dbgsym_2.1.26-1_amd64.deb
 bf7b505671459017b3cea4784a36fe52250cf0e7a190503432d538b1b580cdde 6286 mailman_2.1.26-1_amd64.buildinfo
 01236fde31b09e3e35c93e278bf14b8dd0ee0b364dd987088c42456bea1e23df 4446688 mailman_2.1.26-1_amd64.deb
Files:
 0885c32eaadbc2704ee8284c1ea67987 1698 mail optional mailman_2.1.26-1.dsc
 07d075148a3ffc03e6dc2613e797921e 9264592 mail optional mailman_2.1.26.orig.tar.gz
 f1da3a81e61f40f487c8513224d8cafa 101792 mail optional mailman_2.1.26-1.debian.tar.xz
 b6ee6220f47f27a7cb6d00739c661ce3 18524 debug optional mailman-dbgsym_2.1.26-1_amd64.deb
 bd7e36d7ef268e2d758aa1ae574a1f28 6286 mail optional mailman_2.1.26-1_amd64.buildinfo
 9cb25b929a1c074bcd31bf495a66c37c 4446688 mail optional mailman_2.1.26-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQEuBAEBCAAYBQJad1JTERx0aGlqc0BkZWJpYW4ub3JnAAoJEFb2GnlAHawExoAI
AJMSQKXUNMmkbF/ygmpfGwoInyjBI+mUqu0ObnPwsH8ZqALXgRNzQDzumHhBqFPQ
ZAanoTDuRTLUlgbI2Ezy4ojp+9jNwbsYaec5P+EMfqc/c/47q6ghoEgzhrVlHGtV
1pTYvLyUJQYrjcagyyiY5VkCBxj9PgdsGpyabjgta6CneX3v+B22gLQJ5639yQ8R
i4fR7nRAs9Kq7e2h6V6E5hu1Jks1vyvEOdWNJN0ABpABne24CLVm2o9JsZZl3XV0
DM6W142hX4KBCZRraWGbTVCyjzvjfiTTiDuPt2A8QLh7eVIS5cO7CDUS+FpfEzbR
+VKI9JsMaQ358V2xppTC/kU=
=rWnn
-----END PGP SIGNATURE-----




Set Bug forwarded-to-address to 'https://bugs.launchpad.net/mailman/+bug/1747209'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 04 Feb 2018 20:00:08 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>:
Bug#888201; Package src:mailman. (Sun, 04 Feb 2018 20:03:05 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>. (Sun, 04 Feb 2018 20:03:05 GMT) (full text, mbox, link).


Message #22 received at 888201@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Thijs Kinkhorst <thijs@debian.org>, 888201@bugs.debian.org
Subject: Re: Bug#888201: mailman: CVE-2018-5950
Date: Sun, 4 Feb 2018 21:02:09 +0100
Control: found -1 1:2.1.18-1

On Thu, Feb 01, 2018 at 01:46:05PM +0100, Thijs Kinkhorst wrote:
> >> I plan to release Mailman 2.1.26 along with a patch for older releases
> >> to fix this issue on Feb 4, 2018. At that time, full details of the
> >> vulnerability will be public.
> 
> I've reserved time on Sunday to in any case to sid when the fix is
> released, and depending on the details/severity look into a security
> upload.

Thijs, unless I'm completely wrong, this issue goes at least back to
the jessie version? Marking as such for the BTS, but please correct me
if I'm wrong.

Regards,
Salvatore



Marked as found in versions mailman/1:2.1.18-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to 888201-submit@bugs.debian.org. (Sun, 04 Feb 2018 20:03:05 GMT) (full text, mbox, link).


Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Wed, 14 Feb 2018 21:21:57 GMT) (full text, mbox, link).


Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 14 Feb 2018 21:21:57 GMT) (full text, mbox, link).


Message #29 received at 888201-close@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>
To: 888201-close@bugs.debian.org
Subject: Bug#888201: fixed in mailman 1:2.1.23-1+deb9u2
Date: Wed, 14 Feb 2018 21:17:20 +0000
Source: mailman
Source-Version: 1:2.1.23-1+deb9u2

We believe that the bug you reported is fixed in the latest version of
mailman, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 888201@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated mailman package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 08 Feb 2018 07:54:28 +0100
Source: mailman
Binary: mailman
Architecture: source amd64
Version: 1:2.1.23-1+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
 mailman    - Powerful, web-based mailing list manager
Closes: 888201
Changes:
 mailman (1:2.1.23-1+deb9u2) stretch-security; urgency=high
 .
   * CVE-2018-5950: XSS and information leak in user options.
     (Closes: #888201)
Checksums-Sha1:
 a4fd22e8751bfa4e6a824d0f23536f1d2eff9a9a 1800 mailman_2.1.23-1+deb9u2.dsc
 bee329ca989fc4e217fc5cdb814a1a4ecde79615 9290881 mailman_2.1.23.orig.tar.gz
 44ca0103fa0ba36632be16b9cafe362d72897b7f 102836 mailman_2.1.23-1+deb9u2.debian.tar.xz
 6e941845c135950d1a95ebffcb695131669eaa79 19232 mailman-dbgsym_2.1.23-1+deb9u2_amd64.deb
 9e4589da848ff6875f6fb061f4b9c738bbf7e4e0 6743 mailman_2.1.23-1+deb9u2_amd64.buildinfo
 2db8fd3855de65de02d1750ef065dabbc099288c 4466422 mailman_2.1.23-1+deb9u2_amd64.deb
Checksums-Sha256:
 5a54f221827d4625cebf27c85c836cf9ff50f7f3189b99052364d8640c1cce4f 1800 mailman_2.1.23-1+deb9u2.dsc
 b022ca6f8534621c9dbe50c983948688bc4623214773b580c2c78e4a7ae43e69 9290881 mailman_2.1.23.orig.tar.gz
 23f3165bf7157644e0de2999a7951accd9bd8f1f222e6e77ab93b602e1189aea 102836 mailman_2.1.23-1+deb9u2.debian.tar.xz
 85c519c176bdef86927909fba9f2255bfedc2702075dd1f915253e2300423b1f 19232 mailman-dbgsym_2.1.23-1+deb9u2_amd64.deb
 8893c4e15d887a2f9b0d1485b8767f1b1f7796d47d772404ea8122aeb11821f0 6743 mailman_2.1.23-1+deb9u2_amd64.buildinfo
 eab844b20c2e7e6eab5ba84af0cbee276b2da1bfe19de66693bcd7a5ed5dc3c9 4466422 mailman_2.1.23-1+deb9u2_amd64.deb
Files:
 410c5d780329d7fda9e9353dc82adfd7 1800 mail optional mailman_2.1.23-1+deb9u2.dsc
 ceb2d8427e29f4e69b2505423ffeb60b 9290881 mail optional mailman_2.1.23.orig.tar.gz
 2cb1b2367c9b5a1365de3e41225b5a02 102836 mail optional mailman_2.1.23-1+deb9u2.debian.tar.xz
 cc87f3da9d179a456557a3c01c5f15e1 19232 debug extra mailman-dbgsym_2.1.23-1+deb9u2_amd64.deb
 7af4bac97665aef8f1982698e3869a66 6743 mail optional mailman_2.1.23-1+deb9u2_amd64.buildinfo
 972a0f10bc6c43faccf525da94151cc8 4466422 mail optional mailman_2.1.23-1+deb9u2_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQEuBAEBCAAYBQJafIN/ERx0aGlqc0BkZWJpYW4ub3JnAAoJEFb2GnlAHawEKEYH
/R4Bxx2myRFxupKjuAjjf0fVpid+GiBoTambWlV5tTfRBkVI/FbJs9QDJeRIgtu1
BZ979lPn+k2vSF0HNYzEiRrPMVPNVNUsq9XLzAZiIzMeaNmaIv9Vp2EWr3FjCE/c
W2PcXnB5q4jIHVmcU0e5/KcgvifWXufWlDpNQucWb7e4R2VMWjXowDgtmKZDCtY+
Lk1D4qJw3dC92K9sRwR55FOHsUxEfFUkTxWG0cNZa3kGKkbsFByVESlMZtSly8sp
5RwgnfePrDUhiIqdVOsgi2AeYZpL9Y5PJZQKStnROcBgS+rvf4fXtpeQk98JovQc
A5MPxQFyw0KGX/fSblU0qoM=
=sgIq
-----END PGP SIGNATURE-----




Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Fri, 23 Feb 2018 13:39:10 GMT) (full text, mbox, link).


Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Fri, 23 Feb 2018 13:39:10 GMT) (full text, mbox, link).


Message #34 received at 888201-close@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>
To: 888201-close@bugs.debian.org
Subject: Bug#888201: fixed in mailman 1:2.1.18-2+deb8u2
Date: Fri, 23 Feb 2018 13:34:51 +0000
Source: mailman
Source-Version: 1:2.1.18-2+deb8u2

We believe that the bug you reported is fixed in the latest version of
mailman, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 888201@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated mailman package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 08 Feb 2018 07:30:49 +0100
Source: mailman
Binary: mailman
Architecture: source amd64
Version: 1:2.1.18-2+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
 mailman    - Powerful, web-based mailing list manager
Closes: 888201
Changes:
 mailman (1:2.1.18-2+deb8u2) jessie-security; urgency=high
 .
   * CVE-2018-5950: XSS and information leak in user options.
     (Closes: #888201).
Checksums-Sha1:
 ca5e21728c8264e165292c068b781f881bd5cbf0 1707 mailman_2.1.18-2+deb8u2.dsc
 cb4d793ade7b76f2654334873a0dd5cff5e9007a 105508 mailman_2.1.18-2+deb8u2.debian.tar.xz
 f5c250c25e12bd2fe3a6be74ca10caaf67919969 4326716 mailman_2.1.18-2+deb8u2_amd64.deb
Checksums-Sha256:
 656412b1af81dd99ead0d513ea5504bd2b9b89d2f8c4b904cb2b559f525457a1 1707 mailman_2.1.18-2+deb8u2.dsc
 a3a368350c1476ef87bf4328a0bbf52c8b85884916270fa8fa8765689395d8a7 105508 mailman_2.1.18-2+deb8u2.debian.tar.xz
 614ba8c117737614fa9d448e051aee7c41da6c1434ee9f49540763f5b6eb6f25 4326716 mailman_2.1.18-2+deb8u2_amd64.deb
Files:
 67e1d4da48432e75acf4a5c4efa58e43 1707 mail optional mailman_2.1.18-2+deb8u2.dsc
 afba24b0d6a82fbb30438a5194cc7116 105508 mail optional mailman_2.1.18-2+deb8u2.debian.tar.xz
 52a3c9640c23e4c38b250483d130ecb1 4326716 mail optional mailman_2.1.18-2+deb8u2_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJafEv5AAoJEFb2GnlAHawEnYQH/1QtZWfemx7iRWPVZ9iQhkYb
s6eI3+oJ68LzWor9kRoBQS6utNLypwJzgk4cgEoD6SwCx3wSilKU4iWFMm8yvksW
HIbDt7RrGNj+gqAkF/OPJ3CRf2cigfrDul4b4IZgZRtpwXb9swwVjb+pyyxTcoZe
dOi6ammrDT44KtJT5YLhNDSXivP/UWV15b2/7iWot0sDyEQr877dzoimRoC+xcDl
rW9Q199q5Nv5ylsl7DYgYSzofT7/QOoHiDH4hTJREfLhg01aGSxkxcibYQIEWLOl
evTwXOUTro8L39tNkpEr5cup9CEmjJctuLiWRns/Nq/PXGp87kZura8Sm5TPq+o=
=ZY57
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 03 Apr 2018 07:25:14 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:38:03 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.