GNU Mailman

Scrubbed application/octet-stream parts should not have .obj extension

Bug #1886117 reported by Mark Sapiro on 2020-07-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	GNU Mailman	Fix Released	Medium	Unassigned	GNU Mailman 2.1.30

Bug Description

This was fixed in Mailman 2.1.30 by using .bin for the extension, but a bug report was never created.

The issue prior to 2.1.30 was a scrubbed attachment with no extension in it's name would be saved with a .obj extension and some web servers and or browsers would not recognize the .obj extension and possibly serve evil javascript as html.

For more info see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12137

See original description

CVE References

2020-12137

Mark Sapiro (msapiro) on 2020-07-03

description:

updated

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.