Bug 225703

Summary:

japanese/mailman seems to be affected by CVE-2018-5950 also

Product:

Ports & Packages

Reporter:

Yasuhito FUTATSUKI <freebsd-bug-report-yf>

Component:

Individual Port(s)

Assignee:

TAKATSU Tomonari <tota>

Status:

Closed FIXED

Severity:

Affects Many People

Flags:

bugzilla: maintainer-feedback? (tota)

Priority:

---

Version:

Latest

Hardware:

Any

OS:

Any

See Also:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=225767

Attachments:

Description	Flags
CVE-2018-5950 patch for Mailman 2.1.14+j7	none

Description Yasuhito FUTATSUKI 2018-02-06 14:56:03 UTC

Created attachment 190359 [details]
CVE-2018-5950 patch for Mailman 2.1.14+j7

Mailman/Cgi/options.py on Mailman 2.1.14+j7 seems to have the vulnerability same as upstream GNU Mailman before 2.1.26, CVE-2018-5950.

This is a patch from https://bugs.launchpad.net/mailman/+bug/1747209 (re-create for 2.1.14+j7, applied diff after that patch)

Comment 1 Yasuhito FUTATSUKI 2018-02-21 05:54:05 UTC

I also found MASTER_SITES URL has changed. (http://www.python.jp/doc/contrib/mailman/_static -> https://docs.python.jp/doc/contrib/mailman/_static/)

Comment 2 commit-hook freebsd_committer

2018-02-25 10:45:51 UTC

A commit references this bug:

Author: tota
Date: Sun Feb 25 10:45:00 UTC 2018
New revision: 462947
URL: https://svnweb.freebsd.org/changeset/ports/462947

Log:
  - Add CVE-2018-5950 patch [1]
  - Update MASTER_SITES [1]
  - USES shebangfix
  - Regenerate patches with makepatch
  - Fix pkg-plist to make portlint happy

  PR:		225703 [1]
  Submitted by:	Yasuhito FUTATSUKI
  MFH:		2018Q1
  Security:	CVE-2018-5950

Changes:
  head/japanese/mailman/Makefile
  head/japanese/mailman/files/patch-CVE-2015-2775
  head/japanese/mailman/files/patch-CVE-2018-5950
  head/japanese/mailman/files/patch-Mailman-Defaults.py.in
  head/japanese/mailman/files/patch-Mailman-htmlformat.py
  head/japanese/mailman/files/patch-configure.in
  head/japanese/mailman/files/patch-misc-mailman.in
  head/japanese/mailman/pkg-plist

Comment 3 commit-hook freebsd_committer

2018-03-14 07:55:07 UTC

A commit references this bug:

Author: tota
Date: Wed Mar 14 07:54:30 UTC 2018
New revision: 464466
URL: https://svnweb.freebsd.org/changeset/ports/464466

Log:
  MFH: r462947 r463639

  - Add CVE-2018-5950 patch [1]
  - Update MASTER_SITES [1]
  - USES shebangfix
  - Regenerate patches with makepatch
  - Fix pkg-plist to make portlint happy
  - Remove unnecessary line from files/pkg-deinstall.in [2]
  - Fix files/pkg-install.in [2]

  PR:		225703 [1]
  Submitted by:	Yasuhito FUTATSUKI
  Security:	CVE-2018-5950
  Pointed out by:	riggs@ [2]
  Approved by:	ports-secteam (riggs@)

Changes:
_U  branches/2018Q1/
  branches/2018Q1/japanese/mailman/Makefile
  branches/2018Q1/japanese/mailman/files/patch-CVE-2015-2775
  branches/2018Q1/japanese/mailman/files/patch-CVE-2018-5950
  branches/2018Q1/japanese/mailman/files/patch-Mailman-Defaults.py.in
  branches/2018Q1/japanese/mailman/files/patch-Mailman-htmlformat.py
  branches/2018Q1/japanese/mailman/files/patch-configure.in
  branches/2018Q1/japanese/mailman/files/patch-misc-mailman.in
  branches/2018Q1/japanese/mailman/files/pkg-deinstall.in
  branches/2018Q1/japanese/mailman/files/pkg-install.in
  branches/2018Q1/japanese/mailman/pkg-plist

Comment 4 TAKATSU Tomonari freebsd_committer

2018-03-20 09:43:15 UTC

Committed. Thanks!