FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-11-25 08:52:18 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
739948e3-78bf-11e8-b23c-080027ac955c	mailman -- hardening against malicious listowners injecting evil HTML scripts Mark Sapiro reports: Existing protections against malicious listowners injecting evil scripts into listinfo pages have had a few more checks added. A few more error messages have had their values HTML escaped. The hash generated when SUBSCRIBE_FORM_SECRET is set could have been the same as one generated at the same time for a different list and IP address. Discovery 2018-03-09 Entry 2018-06-25 mailman < 2.1.27 mailman-with-htdig < 2.1.27 ja-mailman < 2.1.14.j7_5,1 https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS#L8 https://www.mail-archive.com/mailman-users@python.org/ CVE-2018-0618
b4f0ad36-94a5-11e8-9007-080027ac955c	mailman -- content spoofing with invalid list names in web UI Mark Sapiro reports: A URL with a very long text listname such as http://www.example.com/mailman/listinfo/This_is_a_long_string_with_some_phishing_text will echo the text in the "No such list" error response. This can be used to make a potential victim think the phishing text comes from a trusted site. This issue was discovered by Hammad Qureshi. Discovery 2018-07-09 Entry 2018-07-31 mailman < 2.1.28 mailman-with-htdig < 2.1.28 ja-mailman < 2.1.14.j7_6,1 https://bugs.launchpad.net/mailman/+bug/1780874 https://mail.python.org/pipermail/mailman-announce/2018-July/000241.html CVE-2018-13796

VuXML ID

Description

739948e3-78bf-11e8-b23c-080027ac955c

mailman -- hardening against malicious listowners injecting evil HTML scripts

Mark Sapiro reports:

Existing protections against malicious listowners injecting evil scripts into listinfo pages have had a few more checks added.

A few more error messages have had their values HTML escaped.

The hash generated when SUBSCRIBE_FORM_SECRET is set could have been the same as one generated at the same time for a different list and IP address.

Discovery 2018-03-09
Entry 2018-06-25
mailman

< 2.1.27

mailman-with-htdig

< 2.1.27

ja-mailman

< 2.1.14.j7_5,1

https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS#L8
https://www.mail-archive.com/mailman-users@python.org/
CVE-2018-0618

b4f0ad36-94a5-11e8-9007-080027ac955c

mailman -- content spoofing with invalid list names in web UI

Mark Sapiro reports:

A URL with a very long text listname such as
http://www.example.com/mailman/listinfo/This_is_a_long_string_with_some_phishing_text
will echo the text in the "No such list" error response. This can be used to make a potential victim think the phishing text comes from a trusted site.

This issue was discovered by Hammad Qureshi.

Discovery 2018-07-09
Entry 2018-07-31
mailman

< 2.1.28

mailman-with-htdig

< 2.1.28

ja-mailman

< 2.1.14.j7_6,1

https://bugs.launchpad.net/mailman/+bug/1780874
https://mail.python.org/pipermail/mailman-announce/2018-July/000241.html
CVE-2018-13796