Date: Wed, 3 Nov 2010 18:27:42 +0300 (MSK) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/151918: [vuxml] mail/mailman: document XSS in 2.1.13 and lower Message-ID: <20101103152742.7F16EDA81F@void.codelabs.ru> Resent-Message-ID: <201011031530.oA3FUAOn045869@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 151918 >Category: ports >Synopsis: [vuxml] mail/mailman: document XSS in 2.1.13 and lower >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Nov 03 15:30:10 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 9.0-CURRENT amd64 >Organization: Code Labs >Environment: System: FreeBSD 9.0-CURRENT amd64 >Description: There was an XSS vulnerability in Mailman 2.1.13 and prior: [1] >How-To-Repeat: [1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3089 >Fix: The port is already at 2.1.14, so only VuXML entry is needed. The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid="132024b9-e74e-11df-bc65-0022156e8794"> <topic>Mailman -- cross-site scripting in Web interface</topic> <affects> <package> <name>mailman</name> <range><lt>2.1.14</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Secunia reports:</p> <blockquote cite="http://secunia.com/advisories/41265"> <p>Two vulnerabilities have been reported in Mailman, which can be exploited by malicious users to conduct script insertion attacks.</p> <p>Certain input passed via the list descriptions is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.</p> <p>Successful exploitation requires "list owner" permissions.</p> </blockquote> </body> </description> <references> <bid>43187</bid> <cvename>CVE-2010-3089</cvename> <url>http://secunia.com/advisories/41265</url> </references> <dates> <discovery>2010-09-14</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- It passes 'make validate' for me. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20101103152742.7F16EDA81F>