Explore top 10 tips to secure your open-source projects now. Read More
×
Date: Thu, 25 Jun 2015 16:38:20 -0500 Reply-To: Connie SiehSender: Security Errata for Scientific Linux From: Connie Sieh Subject: Security ERRATA Moderate: mailman on SL7.x x86_64 Comments: To: scientific MIME-Version: 1.0 Message-ID: Synopsis: Moderate: mailman security and bug fix update Advisory ID: SLSA-2015:1153-01 Issue date: 2015-06-23 CVE Names: CVE-2015-2775 -- * It was found that mailman did not sanitize the list name before passing it to certain MTAs. A local attacker could use this flaw to execute arbitrary code as the user running mailman. (CVE-2015-2775) * Previously, it was impossible to configure Mailman in a way that Domain-based Message Authentication, Reporting & Conformance (DMARC) would recognize Sender alignment for Domain Key Identified Mail (DKIM) signatures. Consequently, Mailman list subscribers that belonged to a mail server with a "reject" policy for DMARC, such as yahoo.com or AOL.com, were unable to receive Mailman forwarded messages from senders residing in any domain that provided DKIM signatures. With this update, domains with a "reject" DMARC policy are recognized correctly, and Mailman list administrators are able to configure the way these messages are handled. As a result, after a proper configuration, subscribers now correctly receive Mailman forwarded messages in this scenario. (BZ#1229288) * Previously, the /etc/mailman file had incorrectly set permissions, which in some cases caused removing Mailman lists to fail with a "'NoneType' object has no attribute 'close'" message. With this update, the permissions value for /etc/mailman is correctly set to 2775 instead of 0755, and removing Mailman lists now works as expected. (BZ#1229307) * Prior to this update, the mailman utility incorrectly installed the tmpfiles configuration in the /etc/tmpfiles.d/ directory. As a consequence, changes made to mailman tmpfiles configuration were overwritten if the mailman packages were reinstalled or updated. The mailman utility now installs the tmpfiles configuration in the /usr/lib/tmpfiles.d/ directory, and changes made to them by the user are preserved on reinstall or update. (BZ#1229306) All mailman users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. -- SL7 x86_64 mailman-2.1.15-21.el7_1.x86_64.rpm mailman-debuginfo-2.1.15-21.el7_1.x86_64.rpm - Scientific Linux Development Team