[Bug 1454866] Re: Sync mailman 1:2.1.18-2 (main) from Debian unstable (main)

Daniel Holbach daniel.holbach at ubuntu.com
Thu May 14 07:31:06 UTC 2015 

This bug was fixed in the package mailman - 1:2.1.18-2
Sponsored for Artur Rona (ari-tczew)

---------------
mailman (1:2.1.18-2) unstable; urgency=high

  * Fix security issue: path traversal through local_part.
    Affects installations which use an Exim or Postfix transport
    instead of fixed aliases; attacker needs to be able to place
    files on the local filesystem.
    (CVE-2015-2775, Closes: 781626)

 -- Thijs Kinkhorst <thijs at debian.org>  Mon, 06 Apr 2015 15:36:15 +0000

** Changed in: mailman (Ubuntu)
       Status: New => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-2775

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1454866

Title:
  Sync mailman 1:2.1.18-2 (main) from Debian unstable (main)

Status in mailman package in Ubuntu:
  Fix Released

Bug description:
  Please sync mailman 1:2.1.18-2 (main) from Debian unstable (main)

  Explanation of the Ubuntu delta and why it can be dropped:
    * SECURITY UPDATE: path traversal vulnerability
      - debian/patches/CVE-2015-2775.patch: validate list name in
        Mailman/Utils.py, add comment to Mailman/Defaults.py.in.
      - CVE-2015-2775
    * SECURITY UPDATE: path traversal vulnerability
      - debian/patches/CVE-2015-2775.patch: validate list name in
        Mailman/Utils.py, add comment to Mailman/Defaults.py.in.
      - CVE-2015-2775

  CVE has been fixed in Debian, as well.

  Changelog entries since current wily version 1:2.1.18-1ubuntu1:

  mailman (1:2.1.18-2) unstable; urgency=high

    * Fix security issue: path traversal through local_part.
      Affects installations which use an Exim or Postfix transport
      instead of fixed aliases; attacker needs to be able to place
      files on the local filesystem.
      (CVE-2015-2775, Closes: 781626)

   -- Thijs Kinkhorst <thijs at debian.org>  Mon, 06 Apr 2015 15:36:15
  +0000

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mailman/+bug/1454866/+subscriptions

More information about the Ubuntu-sponsors mailing list