Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2020-12137

GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.

Related bugs and status

CVE-2020-12137 (Candidate) is related to these bugs:

Bug #1886117: Scrubbed application/octet-stream parts should not have .obj extension

Summary				In	Importance	Status
	1886117	Scrubbed application/octet-stream parts should not have .obj extension		GNU Mailman	Medium	Fix Released

See the

CVE page on Mitre.org for more details.

References

MISC: http://bazaar.launchpa...
MISC: https://www.openwall.c...
MISC: https://www.openwall.c...
MLIST: [oss-security] 2020042...
DEBIAN: DSA-4664
MLIST: [debian-lts-announce] ...
UBUNTU: USN-4348-1
FEDORA: FEDORA-2020-69f2f1d987
FEDORA: FEDORA-2020-20b748e81e
SUSE: openSUSE-SU-2020:1707
SUSE: openSUSE-SU-2020:1752