openSUSE Security Update: Security update for mailman
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2018:1858-1
Rating:             moderate
References:         #1099510 
Cross-References:   CVE-2018-0618
Affected Products:
                    openSUSE Leap 42.3
                    openSUSE Leap 15.0
______________________________________________________________________________

   An update that fixes one vulnerability is now available.

Description:

   This update for mailman to version 2.1.27 fixes the following issues:

   This security issue was fixed:

   - CVE-2018-0618: Additional protections against injecting scripts into
     listinfo and error messages pages (bsc#1099510).

   These non-security issues were fixed:

   - The hash generated when SUBSCRIBE_FORM_SECRET is set could have been the
     same as one generated at the same time for a different list and IP
     address.
   - An option has been added to bin/add_members to issue invitations instead
     of immediately adding members.
   - A new BLOCK_SPAMHAUS_LISTED_IP_SUBSCRIBE setting has been added to
     enable blocking web subscribes from IPv4 addresses listed in Spamhaus
     SBL, CSS or XBL.  It will work with IPv6 addresses if Python's
     py2-ipaddress module is installed.  The module can be installed via pip
     if not included in your Python.
   - Mailman has a new 'security' log and logs authentication failures to the
     various web CGI functions.  The logged data include the remote IP and
     can be used to automate blocking of IPs with something like fail2ban.
     Since Mailman 2.1.14, these have returned an http 401 status and the
     information should be logged by the web server, but this new log makes
     that more convenient.  Also, the 'mischief' log entries for 'hostile
     listname' noe include the remote IP if available.
   - admin notices of (un)subscribes now may give the source of the action.
     This consists of a %(whence)s replacement that has been added to the
     admin(un)subscribeack.txt templates.  Thanks to Yasuhito FUTATSUKI for
     updating the non-English templates and help with internationalizing the
     reasons.
   - there is a new BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE setting to enable
     blocking web subscribes for addresses in domains listed in the Spamhaus
     DBL.


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 42.3:

      zypper in -t patch openSUSE-2018-691=1

   - openSUSE Leap 15.0:

      zypper in -t patch openSUSE-2018-691=1



Package List:

   - openSUSE Leap 42.3 (x86_64):

      mailman-2.1.27-2.6.1
      mailman-debuginfo-2.1.27-2.6.1
      mailman-debugsource-2.1.27-2.6.1

   - openSUSE Leap 15.0 (x86_64):

      mailman-2.1.27-lp150.2.3.1
      mailman-debuginfo-2.1.27-lp150.2.3.1
      mailman-debugsource-2.1.27-lp150.2.3.1


References:

   https://www.suse.com/security/cve/CVE-2018-0618.html
   https://bugzilla.suse.com/1099510

--

openSUSE: 2018:1858-1: moderate: mailman

June 30, 2018
An update that fixes one vulnerability is now available.

Description

This update for mailman to version 2.1.27 fixes the following issues: This security issue was fixed: - CVE-2018-0618: Additional protections against injecting scripts into listinfo and error messages pages (bsc#1099510). These non-security issues were fixed: - The hash generated when SUBSCRIBE_FORM_SECRET is set could have been the same as one generated at the same time for a different list and IP address. - An option has been added to bin/add_members to issue invitations instead of immediately adding members. - A new BLOCK_SPAMHAUS_LISTED_IP_SUBSCRIBE setting has been added to enable blocking web subscribes from IPv4 addresses listed in Spamhaus SBL, CSS or XBL. It will work with IPv6 addresses if Python's py2-ipaddress module is installed. The module can be installed via pip if not included in your Python. - Mailman has a new 'security' log and logs authentication failures to the various web CGI functions. The logged data include the remote IP and can be used to automate blocking of IPs with something like fail2ban. Since Mailman 2.1.14, these have returned an http 401 status and the information should be logged by the web server, but this new log makes that more convenient. Also, the 'mischief' log entries for 'hostile listname' noe include the remote IP if available. - admin notices of (un)subscribes now may give the source of the action. This consists of a %(whence)s replacement that has been added to the admin(un)subscribeack.txt templates. Thanks to Yasuhito FUTATSUKI for updating the non-English templates and help with internationalizing the reasons. - there is a new BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE setting to enable blocking web subscribes for addresses in domains listed in the Spamhaus DBL.

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 42.3: zypper in -t patch openSUSE-2018-691=1 - openSUSE Leap 15.0: zypper in -t patch openSUSE-2018-691=1


Package List

- openSUSE Leap 42.3 (x86_64): mailman-2.1.27-2.6.1 mailman-debuginfo-2.1.27-2.6.1 mailman-debugsource-2.1.27-2.6.1 - openSUSE Leap 15.0 (x86_64): mailman-2.1.27-lp150.2.3.1 mailman-debuginfo-2.1.27-lp150.2.3.1 mailman-debugsource-2.1.27-lp150.2.3.1


References

https://www.suse.com/security/cve/CVE-2018-0618.html https://bugzilla.suse.com/1099510--


Severity
Announcement ID: openSUSE-SU-2018:1858-1
Rating: moderate
Affected Products: openSUSE Leap 42.3 openSUSE Leap 15.0

Related News

4.Lock AbstractDigital Esm H320
2 - 3 min read
Recent research sheds light on the security vulnerabilities prevalent in Linux vendor kernels due to flawed engineering processes that backport
28.Lock Globe Esm H320
1 - 2 min read
The intersection of Linux and quantum computing has become increasingly apparent, emphasizing the importance of Linux-based operating systems in
6.EmailConnection Touch Esm H320
2 - 3 min read
Recent security updates for Ubuntu and Debian have been released to address vulnerabilities in Thunderbird, the popular open-source mail and
30.Lock Globe Motherboard Esm H320
1 - 2 min read
As cybersecurity practitioners, we are no strangers to the constant threat of malicious actors and the importance of remaining vigilant to protect
22.Lock ScreenEffect Esm H320
1 - 2 min read
EndeavorOS Gemini is a captivating and charming desktop operating system based on Arch Linux. The new release includes a kernel upgrade, 3D graphics
25.@Sign Hook Keyboard Esm H320
1 min read
Cyber risk is increasing for individuals and organizations, making flexible and robust solutions for identifying spam and malware increasingly
19.Laptop Bed Esm H320
2 - 3 min read
The recently released Linux Kernel 6.9 brings forth a blend of crucial upgrades and enhancements, catering to the ever-evolving needs of the Linux
4.Lock AbstractDigital Esm H320
1 - 2 min read
Nmap 7.95 introduces myriad enhancements, primarily focusing on OS and service detection signatures. This reflects the dedication of the Nmap

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved