[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Upload mailman

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello.

I prepared a LTS security update for mailman. Debdiff is attached.
link:
https://mentors.debian.net/debian/pool/main/m/mailman/mailman_2.1.15-1+deb7u3.dsc

I manually done following tests for finding regressions.
- - Installed my build in a wheezy machine.
- - Created and deleted lists
- - Subscribed and unsubscribed to/from lists
- - send couple of tests mails
- - Checked archives.


Please upload.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlp6iFEACgkQhj1N8u2c
KO963BAAkw0FEBWTzGaXrduG4jdC6o2ThRHeCKngm9OWHRT1RgPElvYytP4WLDt+
b19l3v/rndZc/HM2KIamKd/c4VvpeUMfOzdc3/6K3MsL2KxSq//LP9gbquQkUh/T
mNOc6bz3vqd+9WQgOFkrqByizsXCVUvHyMhBRbM7R9rPGfdqEMMd8oKY4VRqizHz
QQsGqkIS2MjYhU/8idwwVz9VTjs0wTBfyYFaa8rKt9c56Ef8Uh92/TPFEDPr1cQ7
O09ovww+KKtGVI2rx4mjngqp0ScoSbg39ZilAUWSQWVqi3p3UmlIf8+sop3OtLGN
DaYY0tksGTnvDvymF0/4+xOQpsE5yzlPe5xtTRndETbntmSBGSM1iCSJhNI0LhmP
niJpiI7rVtYnz/gr2p0eI0pNN+lZSgp9a9I5G+9kgvkhq0NmdrrWqE/yRoxKTJ6X
U+IA/RlbYLCh8hr3n/ArPqrJK4+l3tuGJDN7wyFR9RyAEdhEXQAW773/Sjsn0dAF
BhZ4DsxTvaVbHfBQC828iEr/XnOz8JHEoCGFLJfankoEFs+RWen1TrEsDxFU92O4
MybMXEGqFsmWB/8U49rBbR4jraaFDZKKTEuPhNnnt1zG4tyoyqkHPg5jR7VnUPVV
7jXuc+kLqw+xKpWX5wa/EXxVz7O1uL3a+66M6VB0Hz1qClSazBM=
=Zvv5
-----END PGP SIGNATURE-----

diff -Nru mailman-2.1.15/debian/changelog mailman-2.1.15/debian/changelog
--- mailman-2.1.15/debian/changelog	2016-09-02 00:22:17.000000000 +0530
+++ mailman-2.1.15/debian/changelog	2018-02-07 08:28:22.000000000 +0530
@@ -1,3 +1,11 @@
+mailman (1:2.1.15-1+deb7u3) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the Debian LTS team.
+  * CVE-2018-5950: Fix cross-site scripting (XSS) vulnerability in the 
+    web UI in Mailman. (Closes: #888201)
+
+ -- Abhijith PA <abhijith@disroot.org>  Wed, 07 Feb 2018 08:28:22 +0530
+
 mailman (1:2.1.15-1+deb7u2) wheezy-security; urgency=high
 
   * CVE-2016-6893: Fix CSRF vulnerability associated in the user options page
diff -Nru mailman-2.1.15/debian/patches/94_CVE-2018-5950.patch mailman-2.1.15/debian/patches/94_CVE-2018-5950.patch
--- mailman-2.1.15/debian/patches/94_CVE-2018-5950.patch	1970-01-01 05:30:00.000000000 +0530
+++ mailman-2.1.15/debian/patches/94_CVE-2018-5950.patch	2018-02-07 08:28:22.000000000 +0530
@@ -0,0 +1,58 @@
+Description: Fix CVE-2018-5950
+ Fix cross-site scripting (XSS) vulnerability in the web UI which allows 
+ remote attackers to inject arbitrary web script or HTML via a user-options 
+ URL.
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://launchpadlibrarian.net/355686141/options.patch
+Bug: https://bugs.launchpad.net/mailman/+bug/1747209
+Bug-Debian: https://bugs.debian.org/888201
+Last-Update: 2018-02-07
+
+Index: mailman-2.1.15/Mailman/Cgi/options.py
+===================================================================
+--- mailman-2.1.15.orig/Mailman/Cgi/options.py
++++ mailman-2.1.15/Mailman/Cgi/options.py
+@@ -152,20 +152,6 @@ def main():
+     doc.set_language(userlang)
+     i18n.set_language(userlang)
+ 
+-    # See if this is VARHELP on topics.
+-    varhelp = None
+-    if cgidata.has_key('VARHELP'):
+-        varhelp = cgidata['VARHELP'].value
+-    elif os.environ.get('QUERY_STRING'):
+-        # POST methods, even if their actions have a query string, don't get
+-        # put into FieldStorage's keys :-(
+-        qs = cgi.parse_qs(os.environ['QUERY_STRING']).get('VARHELP')
+-        if qs and type(qs) == types.ListType:
+-            varhelp = qs[0]
+-    if varhelp:
+-        topic_details(mlist, doc, user, cpuser, userlang, varhelp)
+-        return
+-
+     # Are we processing an unsubscription request from the login screen?
+     if cgidata.has_key('login-unsub'):
+         # Because they can't supply a password for unsubscribing, we'll need
+@@ -268,6 +254,22 @@ def main():
+     # options.  The first set of checks does not require the list to be
+     # locked.
+ 
++    # See if this is VARHELP on topics.
++    varhelp = None
++    if cgidata.has_key('VARHELP'):
++        varhelp = cgidata['VARHELP'].value
++    elif os.environ.get('QUERY_STRING'):
++        # POST methods, even if their actions have a query string, don't get
++        # put into FieldStorage's keys :-(
++        qs = cgi.parse_qs(os.environ['QUERY_STRING']).get('VARHELP')
++        if qs and type(qs) == types.ListType:
++            varhelp = qs[0]
++    if varhelp:
++        # Sanitize the topic name.
++        varhelp = re.sub('<.*', '', varhelp)
++        topic_details(mlist, doc, user, cpuser, userlang, varhelp)
++        return
++
+     if cgidata.has_key('logout'):
+         print mlist.ZapCookie(mm_cfg.AuthUser, user)
+         loginpage(mlist, doc, user, language)
diff -Nru mailman-2.1.15/debian/patches/series mailman-2.1.15/debian/patches/series
--- mailman-2.1.15/debian/patches/series	2016-09-02 00:22:45.000000000 +0530
+++ mailman-2.1.15/debian/patches/series	2018-02-07 08:28:22.000000000 +0530
@@ -12,3 +12,4 @@
 79_archiver_slash.patch
 92_CVE-2015-2775.patch
 93_CVE-2016-6893.patch
+94_CVE-2018-5950.patch

Attachment: mailman_7u3.debdiff.sig
Description: PGP signature

Reply to: