[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] mailman 2.x: XSS via file attachments in list archives
From:       Salvatore Bonaccorso <carnil () debian ! org>
Date:       2020-04-24 19:00:16
Message-ID: 20200424190016.GA2393887 () eldamar ! local
[Download RAW message or body]

Hi,

On Thu, Apr 23, 2020 at 04:41:43PM +0200, Stefan Cornelius wrote:
> On Mon, 24 Feb 2020 11:06:38 -0500
> Jim Popovitch <jim@k4vqc.com> wrote:
> 
> > On Mon, 2020-02-24 at 15:34 +0100, Hanno Böck wrote:
> > > This change is in mailman 2.1.30rc1, but not in any stable release
> > > of mailman.  
> > 
> > Just for some added info, Mailman v2.1.30 is almost released, the
> > holdup is with some language translations.  Mailman v2.1.30 will be
> > the last of the Mailman v2 releases as primary development and effort
> > has long shifted to Mailman v3. Further, the Mailman v2 branch is
> > tied to Python v2, which is now EOL by the fine Python folk.
> > 
> > Once Mailman v2.1.30 is release, I'm sure the various distributions
> > will pull the commit and merge the particulars into their release
> > branches, and that will surely include this XSS fix. 
> 
> Hi,
> 
> It seems like this does not have a CVE? Is there a reason for this, or
> did this just slip through the cracks/was never really requested?

This appears to have happened now,
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12137 was
assigned.

Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]