MGASA-2020-0276

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2020-0276.html

Import Source

https://advisories.mageia.org/MGASA-2020-0276.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2020-0276

Related

Published

2020-07-05T08:46:44Z

Modified

2026-02-04T04:02:19.151504Z

Summary

Updated mailman packages fix security vulnerability

Details

Updated mailman package fixes security vulnerability:

Up to mailman 2.1.29 when sending a file without a file extension (or an unknown file extension) then the file is stored in the list archive with the file extension .obj. Most web servers will try to assign a mime type based on the file extension and entries in /etc/mime.types, where .obj is usually not specified. This means the web server will send it out without a mime type. The browser will then try to guess the MIME type based on the file's content (MIME-sniffing). If the content is HTML then it will execute any javascript contained, leading to a potential cross-site scripting vulnerability.

The mailman package has been updated to version 2.1.30, fixing this bug and other issues. See the release announcement for details.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:7 / mailman

Package

Name: mailman
Purl: pkg:rpm/mageia/mailman?arch=source&distro=mageia-7

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.33-1.mga7

Ecosystem specific

{
    "section": "core"
}

Database specific

source

"https://advisories.mageia.org/MGASA-2020-0276.json"