Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Mailman is a program used to help manage email discussion lists.
It was found that mailman did not sanitize the list name before passing it
to certain MTAs. A local attacker could use this flaw to execute arbitrary
code as the user running mailman. (CVE-2015-2775)
This update also fixes the following bugs:
* Previously, it was impossible to configure Mailman in a way that
Domain-based Message Authentication, Reporting & Conformance (DMARC) would
recognize Sender alignment for Domain Key Identified Mail (DKIM)
signatures. Consequently, Mailman list subscribers that belonged to a mail
server with a "reject" policy for DMARC, such as yahoo.com or AOL.com, were
unable to receive Mailman forwarded messages from senders residing in any
domain that provided DKIM signatures. With this update, domains with a
"reject" DMARC policy are recognized correctly, and Mailman list
administrators are able to configure the way these messages are handled. As
a result, after a proper configuration, subscribers now correctly receive
Mailman forwarded messages in this scenario. (BZ#1229288)
* Previously, the /etc/mailman file had incorrectly set permissions, which
in some cases caused removing Mailman lists to fail with a "'NoneType'
object has no attribute 'close'" message. With this update, the permissions
value for /etc/mailman is correctly set to 2775 instead of 0755, and
removing Mailman lists now works as expected. (BZ#1229307)
* Prior to this update, the mailman utility incorrectly installed the
tmpfiles configuration in the /etc/tmpfiles.d/ directory. As a consequence,
changes made to mailman tmpfiles configuration were overwritten if the
mailman packages were reinstalled or updated. The mailman utility now
installs the tmpfiles configuration in the /usr/lib/tmpfiles.d/ directory,
and changes made to them by the user are preserved on reinstall or update.
(BZ#1229306)
All mailman users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.
https://access.redhat.com/security/cve/CVE-2015-2775 https://access.redhat.com/security/updates/classification/#moderate
Red Hat Enterprise Linux Server (v. 7):
Source:
mailman-2.1.15-21.el7_1.src.rpm
ppc64:
mailman-2.1.15-21.el7_1.ppc64.rpm
mailman-debuginfo-2.1.15-21.el7_1.ppc64.rpm
s390x:
mailman-2.1.15-21.el7_1.s390x.rpm
mailman-debuginfo-2.1.15-21.el7_1.s390x.rpm
x86_64:
mailman-2.1.15-21.el7_1.x86_64.rpm
mailman-debuginfo-2.1.15-21.el7_1.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
mailman-2.1.15-21.ael7b_1.src.rpm
ppc64le:
mailman-2.1.15-21.ael7b_1.ppc64le.rpm
mailman-debuginfo-2.1.15-21.ael7b_1.ppc64le.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
mailman-2.1.15-21.el7_1.src.rpm
x86_64:
mailman-2.1.15-21.el7_1.x86_64.rpm
mailman-debuginfo-2.1.15-21.el7_1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
Updated mailman packages that fix one security issue and several bugs arenow available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having Moderate securityimpact. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available from the CVE link in theReferences section.
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
1208059 - CVE-2015-2775 mailman: directory traversal in MTA transports that deliver programmatically
1229288 - Yahoo.com and AOL DMARC reject policies cripples Mailman-2.1.12 - update to newer release
1229307 - /etc/mailman has wrong permissions 0755 instead of 2775
Get the latest Linux and open source security news straight to your inbox.