Scrubbed application/octet-stream parts should not have .obj extension

Bug #1886117 reported by Mark Sapiro on 2020-07-03
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GNU Mailman
Medium
Unassigned

Bug Description

This was fixed in Mailman 2.1.30 by using .bin for the extension, but a bug report was never created.

The issue prior to 2.1.30 was a scrubbed attachment with no extension in it's name would be saved with a .obj extension and some web servers and or browsers would not recognize the .obj extension and possibly serve evil javascript as html.

For more info see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12137

CVE References

Mark Sapiro (msapiro) on 2020-07-03
description: updated
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers