UbuntuUpdates.org

Package "mailman"

Name: mailman

Description:

Powerful, web-based mailing list manager
Latest version: 1:2.1.20-1ubuntu0.6
Release: xenial (16.04)
Level: updates
Repository: main
Homepage: http://www.list.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "mailman"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "mailman" in Xenial

Repository Area Version
base main 1:2.1.20-1
security main 1:2.1.20-1ubuntu0.6

Changelog

Version: 1:2.1.20-1ubuntu0.6 2020-06-29 16:06:18 UTC

  mailman (1:2.1.20-1ubuntu0.6) xenial-security; urgency=medium

  * SECURITY UPDATE: Arbitrary Content Injection
    - debian/patches/CVE-2020-15011.diff: checks if
      roster private, if so log the info in Mailman/Cgi/private.py.
    - CVE-2020-15011

 -- <email address hidden> (Leonidas S. Barbosa) Thu, 25 Jun 2020 15:14:32 -0300
Source diff to previous version
CVE-2020-15011 GNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login page.

Version: 1:2.1.20-1ubuntu0.5 2020-05-11 15:07:25 UTC

  mailman (1:2.1.20-1ubuntu0.5) xenial-security; urgency=medium

  * SECURITY UPDATE: Arbitrary Content Injection
    - debian/patches/CVE-2020-12108.diff: removed
      safeusers variable that allows arbitrary content
      to be injected in Mailman/Cgi/options.py.
    - CVE-2020-12108

 -- <email address hidden> (Leonidas S. Barbosa) Thu, 07 May 2020 09:49:54 -0300
Source diff to previous version
CVE-2020-12108 /options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection.

Version: 1:2.1.20-1ubuntu0.4 2020-04-29 17:07:00 UTC

  mailman (1:2.1.20-1ubuntu0.4) xenial-security; urgency=medium

  * SECURITY UPDATE: XSS vulnerability
    - debian/patches/93_CVE-2018-0618.patch: avoiding
      injections in Mailman/Gui/General.py, Mailman/Utils.py,
      Mailman/Gui/GUIBase.py
    - CVE-2018-0618
  * SECURITY UPDATE: Arbitrary text injection
    - debian/patches/94_CVE-2018-13796.patch: check for injections
      in Mailmain/Utils.py.
    - CVE-2018-13796
  * SECURITY UPDATE: XSS vulnerability
    - debian/patches/CVE-2020-12137.diff: use .bin extension
      for scrubbed application/octet-stream files in
      Mailman/Handlers/Scrubber.py.
    - CVE-2020-12137

 -- <email address hidden> (Leonidas S. Barbosa) Tue, 28 Apr 2020 13:43:18 -0300
Source diff to previous version
CVE-2018-0618 Cross-site scripting vulnerability in Mailman 2.1.26 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via uns
CVE-2018-13796 An issue was discovered in GNU Mailman before 2.1.28. A crafted URL can cause arbitrary text to be displayed on a web page from a trusted site.
CVE-2020-12137 GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks a

Version: 1:2.1.20-1ubuntu0.3 2018-02-08 20:07:18 UTC

  mailman (1:2.1.20-1ubuntu0.3) xenial-security; urgency=medium

  * SECURITY UPDATE: Cross-site scripting vulnerability
    - debian/patches/CVE-2018-5950.patch: fix this in
      Mailman/Cgi/options.py.
    - CVE-2018-5950

 -- <email address hidden> (Leonidas S. Barbosa) Wed, 07 Feb 2018 15:30:29 -0300
Source diff to previous version
CVE-2018-5950 Cross-site scripting (XSS) vulnerability in the web UI in Mailman before 2.1.26 allows remote attackers to inject arbitrary web script or HTML via a

Version: 1:2.1.20-1ubuntu0.1 2016-11-01 20:06:59 UTC

  mailman (1:2.1.20-1ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: CSRF vulnerability in the user options page
    - debian/patches/CVE-2016-6893.patch: add CSRF checks to
      Mailman/Cgi/admindb.py, Mailman/Cgi/edithtml.py,
      Mailman/Cgi/options.py, Mailman/HTMLFormatter.py,
      Mailman/htmlformat.py.
    - CVE-2016-6893

 -- Marc Deslauriers <email address hidden> Thu, 06 Oct 2016 11:26:10 -0400
CVE-2016-6893 Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x before 2.1.23 allows remote attackers to hijack the aut


About   -   Send Feedback to @ubuntu_updates