-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello. I prepared a LTS security update for mailman. Debdiff is attached. link: https://mentors.debian.net/debian/pool/main/m/mailman/mailman_2.1.15-1+deb7u3.dsc I manually done following tests for finding regressions. - - Installed my build in a wheezy machine. - - Created and deleted lists - - Subscribed and unsubscribed to/from lists - - send couple of tests mails - - Checked archives. Please upload. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlp6iFEACgkQhj1N8u2c KO963BAAkw0FEBWTzGaXrduG4jdC6o2ThRHeCKngm9OWHRT1RgPElvYytP4WLDt+ b19l3v/rndZc/HM2KIamKd/c4VvpeUMfOzdc3/6K3MsL2KxSq//LP9gbquQkUh/T mNOc6bz3vqd+9WQgOFkrqByizsXCVUvHyMhBRbM7R9rPGfdqEMMd8oKY4VRqizHz QQsGqkIS2MjYhU/8idwwVz9VTjs0wTBfyYFaa8rKt9c56Ef8Uh92/TPFEDPr1cQ7 O09ovww+KKtGVI2rx4mjngqp0ScoSbg39ZilAUWSQWVqi3p3UmlIf8+sop3OtLGN DaYY0tksGTnvDvymF0/4+xOQpsE5yzlPe5xtTRndETbntmSBGSM1iCSJhNI0LhmP niJpiI7rVtYnz/gr2p0eI0pNN+lZSgp9a9I5G+9kgvkhq0NmdrrWqE/yRoxKTJ6X U+IA/RlbYLCh8hr3n/ArPqrJK4+l3tuGJDN7wyFR9RyAEdhEXQAW773/Sjsn0dAF BhZ4DsxTvaVbHfBQC828iEr/XnOz8JHEoCGFLJfankoEFs+RWen1TrEsDxFU92O4 MybMXEGqFsmWB/8U49rBbR4jraaFDZKKTEuPhNnnt1zG4tyoyqkHPg5jR7VnUPVV 7jXuc+kLqw+xKpWX5wa/EXxVz7O1uL3a+66M6VB0Hz1qClSazBM= =Zvv5 -----END PGP SIGNATURE-----
diff -Nru mailman-2.1.15/debian/changelog mailman-2.1.15/debian/changelog --- mailman-2.1.15/debian/changelog 2016-09-02 00:22:17.000000000 +0530 +++ mailman-2.1.15/debian/changelog 2018-02-07 08:28:22.000000000 +0530 @@ -1,3 +1,11 @@ +mailman (1:2.1.15-1+deb7u3) wheezy-security; urgency=high + + * Non-maintainer upload by the Debian LTS team. + * CVE-2018-5950: Fix cross-site scripting (XSS) vulnerability in the + web UI in Mailman. (Closes: #888201) + + -- Abhijith PA <abhijith@disroot.org> Wed, 07 Feb 2018 08:28:22 +0530 + mailman (1:2.1.15-1+deb7u2) wheezy-security; urgency=high * CVE-2016-6893: Fix CSRF vulnerability associated in the user options page diff -Nru mailman-2.1.15/debian/patches/94_CVE-2018-5950.patch mailman-2.1.15/debian/patches/94_CVE-2018-5950.patch --- mailman-2.1.15/debian/patches/94_CVE-2018-5950.patch 1970-01-01 05:30:00.000000000 +0530 +++ mailman-2.1.15/debian/patches/94_CVE-2018-5950.patch 2018-02-07 08:28:22.000000000 +0530 @@ -0,0 +1,58 @@ +Description: Fix CVE-2018-5950 + Fix cross-site scripting (XSS) vulnerability in the web UI which allows + remote attackers to inject arbitrary web script or HTML via a user-options + URL. +Author: Abhijith PA <abhijith@disroot.org> +Origin: https://launchpadlibrarian.net/355686141/options.patch +Bug: https://bugs.launchpad.net/mailman/+bug/1747209 +Bug-Debian: https://bugs.debian.org/888201 +Last-Update: 2018-02-07 + +Index: mailman-2.1.15/Mailman/Cgi/options.py +=================================================================== +--- mailman-2.1.15.orig/Mailman/Cgi/options.py ++++ mailman-2.1.15/Mailman/Cgi/options.py +@@ -152,20 +152,6 @@ def main(): + doc.set_language(userlang) + i18n.set_language(userlang) + +- # See if this is VARHELP on topics. +- varhelp = None +- if cgidata.has_key('VARHELP'): +- varhelp = cgidata['VARHELP'].value +- elif os.environ.get('QUERY_STRING'): +- # POST methods, even if their actions have a query string, don't get +- # put into FieldStorage's keys :-( +- qs = cgi.parse_qs(os.environ['QUERY_STRING']).get('VARHELP') +- if qs and type(qs) == types.ListType: +- varhelp = qs[0] +- if varhelp: +- topic_details(mlist, doc, user, cpuser, userlang, varhelp) +- return +- + # Are we processing an unsubscription request from the login screen? + if cgidata.has_key('login-unsub'): + # Because they can't supply a password for unsubscribing, we'll need +@@ -268,6 +254,22 @@ def main(): + # options. The first set of checks does not require the list to be + # locked. + ++ # See if this is VARHELP on topics. ++ varhelp = None ++ if cgidata.has_key('VARHELP'): ++ varhelp = cgidata['VARHELP'].value ++ elif os.environ.get('QUERY_STRING'): ++ # POST methods, even if their actions have a query string, don't get ++ # put into FieldStorage's keys :-( ++ qs = cgi.parse_qs(os.environ['QUERY_STRING']).get('VARHELP') ++ if qs and type(qs) == types.ListType: ++ varhelp = qs[0] ++ if varhelp: ++ # Sanitize the topic name. ++ varhelp = re.sub('<.*', '', varhelp) ++ topic_details(mlist, doc, user, cpuser, userlang, varhelp) ++ return ++ + if cgidata.has_key('logout'): + print mlist.ZapCookie(mm_cfg.AuthUser, user) + loginpage(mlist, doc, user, language) diff -Nru mailman-2.1.15/debian/patches/series mailman-2.1.15/debian/patches/series --- mailman-2.1.15/debian/patches/series 2016-09-02 00:22:45.000000000 +0530 +++ mailman-2.1.15/debian/patches/series 2018-02-07 08:28:22.000000000 +0530 @@ -12,3 +12,4 @@ 79_archiver_slash.patch 92_CVE-2015-2775.patch 93_CVE-2016-6893.patch +94_CVE-2018-5950.patch
Attachment:
mailman_7u3.debdiff.sig
Description: PGP signature