File _patchinfo of Package patchinfo.8163

<patchinfo incident="8163">
  <issue id="1077358" tracker="bnc">VUL-1:  CVE-2018-5950 mailman: Cross-site scripting (XSS) vulnerability in web UI</issue>
  <issue id="925502" tracker="bnc">VUL-1: CVE-2015-2775: mailman: directory traversal in MTA transports that deliver programmatically</issue>
  <issue id="1101288" tracker="bnc">VUL-0: CVE-2018-13796: mailman: content spoofing vulnerability with invalid list name messages in the web UI</issue>
  <issue id="995352" tracker="bnc">VUL-0: CVE-2016-6893: mailman: CSRF protection needs to be extended to the user options page</issue>
  <issue id="1099510" tracker="bnc">VUL-0: CVE-2018-0618: mailman: various html code injections fixed</issue>
  <issue tracker="cve" id="2018-0618"/>
  <issue tracker="cve" id="2018-5950"/>
  <issue tracker="cve" id="2016-6893"/>
  <issue tracker="cve" id="2015-2775"/>
  <issue tracker="cve" id="2018-13796"/>
  <category>security</category>
  <rating>important</rating>
  <packager>mcepl</packager>
  <description>This update for mailman fixes the following security vulnerabilities:

- Fixed a XSS vulnerability and information leak in user options CGI, which
  could be used to execute arbitrary scripts in the user's browser via
  specially encoded URLs (bsc#1077358 CVE-2018-5950)
- Fixed a directory traversal vulnerability in MTA transports when using the
  recommended Mailman Transport for Exim (bsc#925502 CVE-2015-2775)
- Fixed a XSS vulnerability, which allowed malicious listowners to inject
  scripts into the listinfo pages (bsc#1099510 CVE-2018-0618)
- Fixed arbitrary text injection vulnerability in several mailman CGIs
  (CVE-2018-13796 bsc#1101288)
- Fixed a CSRF vulnerability on the user options page (CVE-2016-6893 bsc#995352)
</description>
  <summary>Security update for mailman</summary>
</patchinfo>
openSUSE Build Service is sponsored by