This update for mailman to version 2.1.34 fixes the following issues:
- The fix for lp#1859104 can result in ValueError being thrown
on attempts to subscribe to a list. This is fixed and extended to apply
REFUSE_SECOND_PENDING to unsubscription as well. (lp#1878458)
- DMARC mitigation no longer misses if the domain name returned by DNS
contains upper case. (lp#1881035)
- A new WARN_MEMBER_OF_SUBSCRIBE setting can be set to No to prevent
mailbombing of a member of a list with private rosters by repeated
subscribe attempts. (lp#1883017)
- Very long filenames for scrubbed attachments are now truncated.
(lp#1884456)
- A content injection vulnerability via the private login page has been
fixed. CVE-2020-15011 (lp#1877379, bsc#1173369)
- A content injection vulnerability via the options login page has been
discovered and reported by Vishal Singh. CVE-2020-12108 (lp#1873722,
bsc#1171363)
- Bounce...
Read the Full AdvisoryPatch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP2:
zypper in -t patch openSUSE-2020-1752=1
- openSUSE Backports SLE-15-SP2 (aarch64 ppc64le s390x x86_64):
mailman-2.1.34-bp152.7.3.1
https://www.suse.com/security/cve/CVE-2020-12108.html
https://www.suse.com/security/cve/CVE-2020-12137.html
https://www.suse.com/security/cve/CVE-2020-15011.html
https://bugzilla.suse.com/1171363
https://bugzilla.suse.com/1173369
--
Get the latest Linux and open source security news straight to your inbox.