Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

openSUSE: 2020:1752-1 Moderate: Mailman Content Injection Issues

opensuse
Calendar Grey October 27, 2020
Dist Opensuse Esm H88
openSUSE Security Update: Recommended update for mailman ___________________________________________
An update that fixes three vulnerabilities is now available.

Description

This update for mailman to version 2.1.34 fixes the following issues:

- The fix for lp#1859104 can result in ValueError being thrown

on attempts to subscribe to a list. This is fixed and extended to apply

REFUSE_SECOND_PENDING to unsubscription as well. (lp#1878458)

- DMARC mitigation no longer misses if the domain name returned by DNS

contains upper case. (lp#1881035)

- A new WARN_MEMBER_OF_SUBSCRIBE setting can be set to No to prevent

mailbombing of a member of a list with private rosters by repeated

subscribe attempts. (lp#1883017)

- Very long filenames for scrubbed attachments are now truncated.

(lp#1884456)

- A content injection vulnerability via the private login page has been

fixed. CVE-2020-15011 (lp#1877379, bsc#1173369)

- A content injection vulnerability via the options login page has been

discovered and reported by Vishal Singh. CVE-2020-12108 (lp#1873722,

bsc#1171363)

- Bounce...

Read the Full Advisory

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP2:

zypper in -t patch openSUSE-2020-1752=1

Package List

- openSUSE Backports SLE-15-SP2 (aarch64 ppc64le s390x x86_64):

mailman-2.1.34-bp152.7.3.1

References

https://www.suse.com/security/cve/CVE-2020-12108.html

https://www.suse.com/security/cve/CVE-2020-12137.html

https://www.suse.com/security/cve/CVE-2020-15011.html

https://bugzilla.suse.com/1171363

https://bugzilla.suse.com/1173369

--

Announcement ID: openSUSE-SU-2020:1752-1
Rating: moderate
Affected Products: openSUSE Backports SLE-15-SP2

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here