Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

openSUSE: 2020:1707-1 Moderate: mailman Content Injection Fix

opensuse
Calendar Grey October 22, 2020
Dist Opensuse Esm H88
Addresses multiple security issues in openSUSE mailman, boosting protection and usability with added features and enhancements.
An update that fixes three vulnerabilities is now available.

Description

This update for mailman to version 2.1.34 fixes the following issues:

- The fix for lp#1859104 can result in ValueError being thrown

on attempts to subscribe to a list. This is fixed and extended to apply

REFUSE_SECOND_PENDING to unsubscription as well. (lp#1878458)

- DMARC mitigation no longer misses if the domain name returned by DNS

contains upper case. (lp#1881035)

- A new WARN_MEMBER_OF_SUBSCRIBE setting can be set to No to prevent

mailbombing of a member of a list with private rosters by repeated

subscribe attempts. (lp#1883017)

- Very long filenames for scrubbed attachments are now truncated.

(lp#1884456)

- A content injection vulnerability via the private login page has been

fixed. CVE-2020-15011 (lp#1877379, bsc#1173369)

- A content injection vulnerability via the options login page has been

discovered and reported by Vishal Singh. CVE-2020-12108 (lp#1873722,

bsc#1171363)

- Bounce...

Read the Full Advisory

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.2:

zypper in -t patch openSUSE-2020-1707=1

Package List

- openSUSE Leap 15.2 (x86_64):

mailman-2.1.34-lp152.7.3.1

mailman-debuginfo-2.1.34-lp152.7.3.1

mailman-debugsource-2.1.34-lp152.7.3.1

References

https://www.suse.com/security/cve/CVE-2020-12108.html

https://www.suse.com/security/cve/CVE-2020-12137.html

https://www.suse.com/security/cve/CVE-2020-15011.html

https://bugzilla.suse.com/1171363

https://bugzilla.suse.com/1173369

--

Announcement ID: openSUSE-SU-2020:1707-1
Rating: moderate
Affected Products: openSUSE Leap 15.2

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here