[SECURITY] [DLA 2200-1] mailman security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2200-1] mailman security update
From: Anton Gladky <gladk@debian.org>
Date: Sun, 3 May 2020 12:49:39 +0200
Message-id: <[🔎] 1b567ce8-f9da-4896-a374-d27b7a0bb95b@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : mailman
Version        : 1:2.1.18-2+deb8u5
CVE ID         : CVE-2020-12137


A vulnerability was discovered in mailman. GNU Mailman 2.x before 2.1.30
uses the .obj extension for scrubbed application/octet-stream MIME
parts. This behavior may contribute to XSS attacks against
list-archive visitors, because an HTTP reply from an archive web
server may lack a MIME type, and a web browser may perform MIME
sniffing, conclude that the MIME type should have been text/html, and
execute JavaScript code.


For Debian 8 "Jessie", this problem has been fixed in version
1:2.1.18-2+deb8u5.

We recommend that you upgrade your mailman packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAl6uobwACgkQ0+Fzg8+n
/wbMJQ//eUbb2EAZBBKxb4pvXbNm4BrGCl1FDGC2YC/j2U8F50zlYKF4f5sJoEb5
JWWwV80/rqNd3RyUS9kU8ddl0y0nArt6uH9QrhUFgTtx3woT2lPj128cj18+dxfk
rSjsc++FxrU/eoUG4DDTghdPJcmT8Mqp4GoaMlaS2OZzimWFYJv6hgiDY80a5ywX
75SzakbpOX1LJgC+0J8S90d+qzmHKirrVC7udn6OivXB288IZjKvchZcE6aZTaED
XTYzQYKyHXfiCZnAZPh2Us0w2Dzpkik1E6ysRSc0vBDBZ6NFh7wc0AvXOyHdSzKX
FAj2pXAMABpuloBB2cqryl+9vTVOW5AFDs41SDAytG1CetOQjmka/lQyx8Cc0lYZ
KBm95t2kahBrpq4+zZJPyR2k5zkW3YFKH7m6idFMLsGPpInB+++5sF0aL84vyCgE
uJNatg0qIf90XiNFDM01+E07AjhpJyxNTVEWnXZ60bUCyMZpMwqRl7X4o7EdQPCm
b8onRF+JlHMK6Js27hb0PQo8ofBtN6QvVcbgR1vD68x9ZpSOgdJqzAOJenKWu407
DSumuJRnDeDcisGR+P/M2FoKMuDDcBlRjpv5ob/o8AxnHG7klo4H0KCLLJvMX9iX
cr0C1xc/ke/BlZ4bkga+vEZqaRFeZSQ+o5FrFuhapagAQRU5zbg=
=TeBZ
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2199-1] openldap security update
Next by Date: [SECURITY] [DLA 2196-2] pound regression update
Previous by thread: [SECURITY] [DLA 2199-1] openldap security update
Next by thread: [SECURITY] [DLA 2196-2] pound regression update
Index(es):
- Date
- Thread