[SECURITY] [DLA 2200-1] mailman security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2200-1] mailman security update
From: Anton Gladky <gladk@debian.org>
Date: Sun, 3 May 2020 12:06:55 +0200
Message-id: <[🔎] cd802cea-67a0-d828-3390-ec54923712a2@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
In-reply-to: <033e2827-e31f-757c-02cd-71f43f5ead1a@debian.org>
References: <033e2827-e31f-757c-02cd-71f43f5ead1a@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : mailman
Version        : 1:2.1.18-2+deb8u5
CVE ID         : CVE-2020-12137


A vulnerability was discovered in mailman. GNU Mailman 2.x before 2.1.30
uses the .obj extension for scrubbed application/octet-stream MIME
parts. This behavior may contribute to XSS attacks against list-archive
visitors, because an HTTP reply from an archive web server may lack a
MIME type, and a web browser may perform MIME sniffing, conclude that
the MIME type should have been text/html, and execute JavaScript code.


For Debian 8 "Jessie", this problem has been fixed in version
1:2.1.18-2+deb8u5.

We recommend that you upgrade your mailman packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAl6ul7wACgkQ0+Fzg8+n
/wbZ9g//Q+FFmQ2beDonA+YS3zk44DdQsnhlGTZMd3jkmEdlwGsv3r9V9ZS0ho64
rMhWwRGzixBEf0C+7p/UMVBfRVAZS23Usz8dHjtuvTdllD2mAGhZ+IHAoSwpZ3mS
9wvjSqTLrPG/6JZJaH95q0cI3ZkrdZLjLSnB3nJ2eJ7QoSYEpTSHdjNc6xRswdkt
AawzUHN8g1cQrf0HX8mSvL6yirwp+Wc9oNVJT1HQL3MU95Pr2A1h+D7z4MhcUTMW
zKe1RaKPEozvqsyZ5Op7R2nDdWali9JuRDURCqoFaO4KENUf8CIkWpxKsla2rieU
z7F7C6TL/fubhLUdWX11A4ZCYyX0d0m0EGIhsEX6NhqSn6gsLasv0bOlGwvK5hvt
B5rktpjIEW7YF1Ao4weMLsryrWTyaY3saP0Ou7eiLc40/Tlwn7Ey/iaf1WT8PhCY
YRVZMCmvxKfHIsDC5Nj6QVIXlhr60f2t8SK6hHz9rVZT0EZ++ZNQb89wZJIIS9Mc
/NZTpJdoJRdSzCE0S6nt/PjRphQdDnMihq4puaf50tILyi3j/LnFdztU7I+3QD+7
FWOz3al9IWw4nXFtNdiN/jy07Fm9FiOzbFnMld+9KTq2mgpmt9gKwmjGwA6Xb+vI
oetZV6nG+jVpX+EYDUL5gtXQSJJDVVbEZmvk4ii2GN+lrodUUzk=
=EF8p
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: Re: jessie update for openldap (CVE-2020-12243)
Next by Date: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
Previous by thread: Re: Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when mod_rewrite rule is triggered
Next by thread: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
Index(es):
- Date
- Thread