File _patchinfo of Package patchinfo.8163
<patchinfo incident="8163">
<issue id="1077358" tracker="bnc">VUL-1: CVE-2018-5950 mailman: Cross-site scripting (XSS) vulnerability in web UI</issue>
<issue id="925502" tracker="bnc">VUL-1: CVE-2015-2775: mailman: directory traversal in MTA transports that deliver programmatically</issue>
<issue id="1101288" tracker="bnc">VUL-0: CVE-2018-13796: mailman: content spoofing vulnerability with invalid list name messages in the web UI</issue>
<issue id="995352" tracker="bnc">VUL-0: CVE-2016-6893: mailman: CSRF protection needs to be extended to the user options page</issue>
<issue id="1099510" tracker="bnc">VUL-0: CVE-2018-0618: mailman: various html code injections fixed</issue>
<issue tracker="cve" id="2018-0618"/>
<issue tracker="cve" id="2018-5950"/>
<issue tracker="cve" id="2016-6893"/>
<issue tracker="cve" id="2015-2775"/>
<issue tracker="cve" id="2018-13796"/>
<category>security</category>
<rating>important</rating>
<packager>mcepl</packager>
<description>This update for mailman fixes the following security vulnerabilities:
- Fixed a XSS vulnerability and information leak in user options CGI, which
could be used to execute arbitrary scripts in the user's browser via
specially encoded URLs (bsc#1077358 CVE-2018-5950)
- Fixed a directory traversal vulnerability in MTA transports when using the
recommended Mailman Transport for Exim (bsc#925502 CVE-2015-2775)
- Fixed a XSS vulnerability, which allowed malicious listowners to inject
scripts into the listinfo pages (bsc#1099510 CVE-2018-0618)
- Fixed arbitrary text injection vulnerability in several mailman CGIs
(CVE-2018-13796 bsc#1101288)
- Fixed a CSRF vulnerability on the user options page (CVE-2016-6893 bsc#995352)
</description>
<summary>Security update for mailman</summary>
</patchinfo>