Linux Security
    Linux Security
    Linux Security

    openSUSE: 2020:1752-1: moderate: Recommended mailman

    Date 27 Oct 2020
    139
    Posted By LinuxSecurity Advisories
    An update that fixes three vulnerabilities is now available.
       openSUSE Security Update: Recommended update for mailman
    ______________________________________________________________________________
    
    Announcement ID:    openSUSE-SU-2020:1752-1
    Rating:             moderate
    References:         #1171363 #1173369 
    Cross-References:   CVE-2020-12108 CVE-2020-12137 CVE-2020-15011
                       
    Affected Products:
                        openSUSE Backports SLE-15-SP2
    ______________________________________________________________________________
    
       An update that fixes three vulnerabilities is now available.
    
    Description:
    
    
       This update for mailman to version 2.1.34 fixes the following issues:
    
        - The fix for lp#1859104 can result in ValueError being thrown
          on attempts to subscribe to a list. This is fixed and extended to apply
           REFUSE_SECOND_PENDING to unsubscription as well. (lp#1878458)
        - DMARC mitigation no longer misses if the domain name returned by DNS
          contains upper case. (lp#1881035)
        - A new WARN_MEMBER_OF_SUBSCRIBE setting can be set to No to prevent
          mailbombing of a member of a list with private rosters by repeated
          subscribe attempts. (lp#1883017)
        - Very long filenames for scrubbed attachments are now truncated.
          (lp#1884456)
        - A content injection vulnerability via the private login page has been
          fixed. CVE-2020-15011  (lp#1877379, bsc#1173369)
        - A content injection vulnerability via the options login page has been
          discovered and reported by Vishal Singh. CVE-2020-12108 (lp#1873722,
          bsc#1171363)
        - Bounce recognition for a non-compliant Yahoo format is added.
        - Archiving workaround for non-ascii in string.lowercase in some Python
          packages is added.
        - Thanks to Jim Popovitch, there is now a dmarc_moderation_addresses list
          setting that can be used to apply dmarc_moderation_action to mail From:
          addresses listed
          or matching listed regexps. This can be used to modify mail to
           addresses that don't accept external mail From: themselves.
        - There is a new MAX_LISTNAME_LENGTH setting. The fix for lp#1780874
          obtains a list of the names of all the all the lists in the
          installation in order to determine the maximum length of a legitimate
          list name. It does this on every web access and on sites with a very
          large number of lists, this can have performance implications. See the
          description in Defaults.py for more information.
        - Thanks to Ralf Jung there is now the ability to add text based captchas
          (aka textchas) to the listinfo subscribe form. See the documentation
          for the new CAPTCHA setting in Defaults.py for how to enable this. Also
          note that if you have custom listinfo.html templates, you will have to
          add a  tag to those templates to make this work. This
          feature can be used in combination with or instead of the Google
          reCAPTCHA feature added in 2.1.26.
        - Thanks to Ralf Hildebrandt the web admin Membership Management section
          now has a feature to sync the list's membership with a list of email
          addresses as with the bin/sync_members command.
        - There is a new drop_cc list attribute set from DEFAULT_DROP_CC. This
          controls the dropping of addresses from the Cc: header in delivered
          messages by the duplicate avoidance process. (lp#1845751)
        - There is a new REFUSE_SECOND_PENDING mm_cfg.py setting that will cause
          a second request to subscribe to a list when there is already a pending
          confirmation for that user. This can be set to Yes to prevent
          mailbombing of a third party by repeatedly posting the subscribe form.
          (lp#1859104)
        - Fixed the confirm CGI to catch a rare TypeError on simultaneous
          confirmations of the same token. (lp#1785854)
        - Scrubbed application/octet-stream MIME parts will now be given a .bin
          extension instead of .obj. CVE-2020-12137 (lp#1886117)
        - Added bounce recognition for a non-compliant opensmtpd DSN with Action:
          error. (lp#1805137)
        - Corrected and augmented some security log messages. (lp#1810098)
        - Implemented use of QRUNNER_SLEEP_TIME for bin/qrunner
          --runner=All. (lp#1818205)
        - Leading/trailing spaces in provided email addresses for login to
          private archives and the user options page are now ignored. (lp#1818872)
        - Fixed the spelling of the --no-restart option for mailmanctl.
        - Fixed an issue where certain combinations of charset and invalid
          characters in a list's description could produce a List-ID header
          without angle brackets. (lp#1831321)
        - With the Postfix MTA and virtual domains, mappings for the site list
          -bounces and -request addresses in each virtual domain are now added to
          data/virtual-mailman (-owner was done in 2.1.24). (lp#1831777)
        - The paths.py module now extends sys.path with the result of
          site.getsitepackages() if available. (lp#1838866)
        - A bug causing a UnicodeDecodeError in preparing to send the
          confirmation request message to a new subscriber has been fixed.
          (lp#1851442)
        - The SimpleMatch heuristic bounce recognizer has been improved to not
          return most invalid email addresses. (lp#1859011)
    
       This update was imported from the openSUSE:Leap:15.2:Update update project.
    
    
    Patch Instructions:
    
       To install this openSUSE Security Update use the SUSE recommended installation methods
       like YaST online_update or "zypper patch".
    
       Alternatively you can run the command listed for your product:
    
       - openSUSE Backports SLE-15-SP2:
    
          zypper in -t patch openSUSE-2020-1752=1
    
    
    
    Package List:
    
       - openSUSE Backports SLE-15-SP2 (aarch64 ppc64le s390x x86_64):
    
          mailman-2.1.34-bp152.7.3.1
    
    
    References:
    
       https://www.suse.com/security/cve/CVE-2020-12108.html
       https://www.suse.com/security/cve/CVE-2020-12137.html
       https://www.suse.com/security/cve/CVE-2020-15011.html
       https://bugzilla.suse.com/1171363
       https://bugzilla.suse.com/1173369
    
    -- 
    

    LinuxSecurity Poll

    How long have you been using Linux?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 4 answer(s).
    /main-polls/46-how-long-have-you-been-using-linux?task=poll.vote&format=json
    46
    radio
    [{"id":"160","title":"Just made the switch!","votes":"1","type":"x","order":"1","pct":14.29,"resources":[]},{"id":"161","title":"1-5 years","votes":"0","type":"x","order":"2","pct":0,"resources":[]},{"id":"162","title":"6-10 years","votes":"0","type":"x","order":"3","pct":0,"resources":[]},{"id":"163","title":">10 years - I'm a veteran!","votes":"6","type":"x","order":"4","pct":85.71,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    Please vote first in order to view vote results.


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.