svn commit: r534283 - head/security/vuxml

Matthias Andree mandree at FreeBSD.org
Thu May 7 19:56:01 UTC 2020 

Author: mandree
Date: Thu May  7 19:56:00 2020
New Revision: 534283
URL: https://svnweb.freebsd.org/changeset/ports/534283

Log:
  mail/mailman: extend content injection vuln via private archive login
  
  This led up to mailman 2.1.33 today.
  https://bugs.launchpad.net/mailman/+bug/1877379
  https://launchpadlibrarian.net/478684932/private.diff
  https://mail.python.org/archives/list/mailman-developers@python.org/thread/SYBIZ3MNSQZLKN6PVKO7ZKR7QMOBMS45/
  
  Approved by:	ports-secteam@ (blanket for security fixes)
  Security:	88760f4d-8ef7-11ea-a66d-4b2ef158be83

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Thu May  7 17:54:11 2020	(r534282)
+++ head/security/vuxml/vuln.xml	Thu May  7 19:56:00 2020	(r534283)
@@ -135,15 +135,17 @@ Notes:
   </vuln>
 
   <vuln vid="88760f4d-8ef7-11ea-a66d-4b2ef158be83">
-    <topic>mailman -- content injection vulnerability via options login page</topic>
+    <topic>mailman -- arbitrary content injection vulnerability via options or private archive login pages</topic>
     <affects>
       <package>
 	<name>mailman</name>
-	<range><lt>2.1.30_3</lt></range>
+	<range><lt>2.1.30_4</lt></range>
+	<range><ge>2.1.31</ge><lt>2.1.33</lt></range>
       </package>
       <package>
 	<name>mailman-with-htdig</name>
-	<range><lt>2.1.30_3</lt></range>
+	<range><lt>2.1.30_4</lt></range>
+	<range><ge>2.1.31</ge><lt>2.1.33</lt></range>
       </package>
     </affects>
     <description>
@@ -159,16 +161,26 @@ Notes:
 	    An issue similar to CVE-2018-13796 exists at different endpoint & param. It can lead to a phishing attack.
 	  </p>
 	</blockquote>
+	<blockquote cite="https://bugs.launchpad.net/mailman/+bug/1877379">
+	  <p>
+	    (added 2020-05-07) This is essentially the same as
+	    https://bugs.launchpad.net/mailman/+bug/1873722 except the vector is
+	    the private archive login page and the attack only succeeds if the
+	    list's roster visibility (private_roster) setting is 'Anyone'.
+	  </p>
+	</blockquote>
       </body>
     </description>
     <references>
       <url>https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/1845/NEWS#L8</url>
       <url>https://bugs.launchpad.net/mailman/+bug/1873722</url>
+      <url>https://bugs.launchpad.net/mailman/+bug/1877379</url>
+      <url>https://mail.python.org/archives/list/mailman-developers@python.org/thread/SYBIZ3MNSQZLKN6PVKO7ZKR7QMOBMS45/</url>
       <cvename>CVE-2018-13796</cvename>
     </references>
     <dates>
       <discovery>2020-04-20</discovery>
-      <entry>2020-05-05</entry>
+      <entry>2020-05-07</entry>
     </dates>
   </vuln>

More information about the svn-ports-head mailing list