svn commit: r473349 - head/security/vuxml
Matthias Andree
mandree at FreeBSD.org
Mon Jun 25 21:45:42 UTC 2018
Author: mandree
Date: Mon Jun 25 21:45:41 2018
New Revision: 473349
URL: https://svnweb.freebsd.org/changeset/ports/473349
Log:
Add mailman vulnerabilities/hardening.
Obtained from: Mark Sapiro
Security: 739948e3-78bf-11e8-b23c-080027ac955c
Security: CVE-2018-0618
Security: JVN#00846677
Security: JPCERT#97432283
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Mon Jun 25 21:17:15 2018 (r473348)
+++ head/security/vuxml/vuln.xml Mon Jun 25 21:45:41 2018 (r473349)
@@ -58,6 +58,37 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="739948e3-78bf-11e8-b23c-080027ac955c">
+ <topic>mailman -- hardening against malicious listowners injecting evil HTML scripts</topic>
+ <affects>
+ <package> <name>mailman</name> <range><lt>2.1.27</lt></range> </package>
+ <package> <name>mailman-with-htdig</name> <range><lt>2.1.27</lt></range> </package>
+ <package> <name>ja-mailman</name> <range><lt>2.1.27</lt></range> </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Mark Sapiro reports:</p>
+ <blockquote cite="https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS#L8">
+ <p>Existing protections against malicious listowners injecting evil
+ scripts into listinfo pages have had a few more checks added.
+ </p>
+ <p>A few more error messages have had their values HTML escaped.</p>
+ <p>The hash generated when SUBSCRIBE_FORM_SECRET is set could have been
+ the same as one generated at the same time for a different list and
+ IP address.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS#L8</url>
+ <cvename>CVE-2018-0618</cvename>
+ </references>
+ <dates>
+ <discovery>2018-03-09</discovery> <!-- Launchpad rev. 1747 -->
+ <entry>2018-06-25</entry>
+ </dates>
+ </vuln>
+
<vuln vid="17cb6ff3-7670-11e8-8854-6805ca0b3d42">
<topic>phpmyadmin -- remote code inclusion and XSS scripting</topic>
<affects>
More information about the svn-ports-all
mailing list