FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mailman -- hardening against malicious listowners injecting evil HTML scripts

Affected packages
mailman < 2.1.27
mailman-with-htdig < 2.1.27
ja-mailman < 2.1.14.j7_5,1

Details

VuXML ID 739948e3-78bf-11e8-b23c-080027ac955c
Discovery 2018-03-09
Entry 2018-06-25

Mark Sapiro reports:

Existing protections against malicious listowners injecting evil scripts into listinfo pages have had a few more checks added.

A few more error messages have had their values HTML escaped.

The hash generated when SUBSCRIBE_FORM_SECRET is set could have been the same as one generated at the same time for a different list and IP address.

References

CVE Name CVE-2018-0618
URL https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS#L8
URL https://www.mail-archive.com/mailman-users@python.org/