Updated mailman package fixes security vulnerability: Up to mailman 2.1.29 when sending a file without a file extension (or an unknown file extension) then the file is stored in the list archive with the file extension .obj. Most web servers will try to assign a mime type based on the file extension and entries in /etc/mime.types, where .obj is usually not specified. This means the web server will send it out without a mime type. The browser will then try to guess the MIME type based on the file’s content (MIME-sniffing). If the content is HTML then it will execute any javascript contained, leading to a potential cross-site scripting vulnerability. The mailman package has been updated to version 2.1.30, fixing this bug and other issues. See the release announcement for details.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Mageia | 7 | noarch | mailman | <Â 2.1.33-1 | mailman-2.1.33-1.mga7 |