Bug 225767
| Summary: | security/vuxml: Document vulnerability in Mailman (CVE-2018-5950) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | VK <vlad-fbsd> | ||||
| Component: | Individual Port(s) | Assignee: | Matthias Andree <mandree> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Some People | CC: | mailman, mandree, tota | ||||
| Priority: | --- | Keywords: | patch, security | ||||
| Version: | Latest | Flags: | mandree:
maintainer-feedback+
|
||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| URL: | https://www.mail-archive.com/mailman-users@python.org/msg70478.html | ||||||
| See Also: | https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=225703 | ||||||
| Attachments: |
|
||||||
"An XSS vulnerability in the user options CGI could allow a crafted URL to execute arbitrary javascript in a user's browser. A related issue could expose information on a user's options page without requiring login. These are fixed. Thanks to Calum Hutton for the report." * CVE-2018-5950 * https://www.mail-archive.com/mailman-users@python.org/msg70478.html A commit references this bug: Author: mandree Date: Thu Feb 8 22:24:00 UTC 2018 New revision: 461276 URL: https://svnweb.freebsd.org/changeset/ports/461276 Log: Document Mailman vulnerability PR: 225767 Submitted by: Vladimir Krstulja Reviewed by: Matthias Andree Security: CVE-2018-5950 Security: 3d0eeef8-0cf9-11e8-99b0-d017c2987f9a Changes: head/security/vuxml/vuln.xml A commit references this bug: Author: mandree Date: Thu Feb 8 22:32:24 UTC 2018 New revision: 461277 URL: https://svnweb.freebsd.org/changeset/ports/461277 Log: Security update to 2.1.26 (XSS bug), assorted other fixes. - Fix checksum failures in Defaults.py[c]: No longer patch Defaults.py in postinstall, instead configure --with-mailhost=localhost --with-urlhost=localhost, as Fedora and Arch Linux do. - Add a related note to FreeBSD-post-install-notes. - Add a related safeguard to the rcfile, which will refuse to run if the DEFAULT_*_HOSTs are not configured. This can be changed with a new mailman_run_localhost="YES" rc.conf setting, which will then restrict itself to printing the warnings, but still start mailman. - Update htdig patch to upstream SVN r1734. - Bump USES, python:2 -> python:2.7 - Regenerated patches. Changelog: https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/1743/NEWS#L8 Release/SecuritY announcement: https://www.mail-archive.com/mailman-users@python.org/msg70478.html PR: 225767 (related vuxml entry) Reported by: Vladimir Krstulja MFH: 2018Q1 Security: CVE-2018-5950 Security: 3d0eeef8-0cf9-11e8-99b0-d017c2987f9a Changes: head/mail/mailman/Makefile head/mail/mailman/distinfo head/mail/mailman/files/FreeBSD-post-install-notes head/mail/mailman/files/mailman.in head/mail/mailman/files/patch-Mailman__Defaults.py.in head/mail/mailman/files/patch-Mailman__htmlformat.py head/mail/mailman/files/patch-misc__mailman.in head/mail/mailman/files/pkg-install.in head/mail/mailman/pkg-plist |
Created attachment 190436 [details] Document CVE-2018-5950