Overview

File _patchinfo of Package patchinfo.8369

<patchinfo incident="8369">
  <issue tracker="bnc" id="1099510">VUL-0: CVE-2018-0618: mailman: various html code injections fixed</issue>
  <issue tracker="cve" id="2018-0618"/>
  <category>security</category>
  <rating>moderate</rating>
  <packager>AndreasStieger</packager>
  <description>This update for mailman to version 2.1.27 fixes the following issues:

This security issue was fixed:

- CVE-2018-0618: Additional protections against injecting scripts into listinfo
  and error messages pages (bsc#1099510).

These non-security issues were fixed:

- The hash generated when SUBSCRIBE_FORM_SECRET is set could have been
  the same as one generated at the same time for a different list and
  IP address.
- An option has been added to bin/add_members to issue invitations
  instead of immediately adding members.
- A new BLOCK_SPAMHAUS_LISTED_IP_SUBSCRIBE setting has been added to
  enable blocking web subscribes from IPv4 addresses listed in Spamhaus
  SBL, CSS or XBL.  It will work with IPv6 addresses if Python's
  py2-ipaddress module is installed.  The module can be installed via pip
  if not included in your Python.
- Mailman has a new 'security' log and logs authentication failures to the
  various web CGI functions.  The logged data include the remote IP and can be
  used to automate blocking of IPs with something like fail2ban.  Since Mailman
  2.1.14, these have returned an http 401 status and the information should be
  logged by the web server, but this new log makes that more convenient.  Also,
  the 'mischief' log entries for 'hostile listname' noe include the remote IP
  if available.
- admin notices of (un)subscribes now may give
  the source of the action.  This consists of a %(whence)s replacement
  that has been added to the admin(un)subscribeack.txt templates.  Thanks
  to Yasuhito FUTATSUKI for updating the non-English templates and help
  with internationalizing the reasons.
- there is a new BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE setting to enable blocking
  web subscribes for addresses in domains listed in the Spamhaus DBL.
</description>
  <summary>Security update for mailman</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places