Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -2 articles for you...
98
security advisorysecurity updatebug fixRed Hat Enterprise Linux 8 RHSA-2021-1752-01 Low Impact: Evolution Bug Fix
An update for evolution, evolution-data-server, and evolution-ews is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Low: evolution security, bug fix, and enhancement update Advisory ID: RHSA-2021:1752-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:1752 Issue date: 2021-05-18 CVE Names: CVE-2020-16117 ==================================================================== 1. Summary: An update for evolution, evolution-data-server, and evolution-ews is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64 Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: Evolution is a GNOME application that provides integrated email, calendar, contact management, and communications functionality. The evolution-data-server packages provide a unified back end for applications which interact with contacts, tasks and calendar information. Evolution Data Server was originally developed as a back end for the Evolution information management application, but is now used by various other applications. Security Fix(es): * evolution-data-server: NULL pointer dereference related to imapx_free_capability and imapx_connect_to_server (CVE-2020-16117) For more details about the security issue(s), including theimpact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.4 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Evolution must be restarted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1862125 - CVE-2020-16117 evolution-data-server: NULL pointer dereference related to imapx_free_capability and imapx_connect_to_server 1883619 - ECalendarItem: Settings loaded only when being shown 1885229 - Allow change of the Microsoft 365 OAuth2 endpoints 1886026 - Simplify OAuth2 for outlook.office365.com server 1902630 - Crash on file drag into mail composer with WebKitGTK 2.30 6. Package List: Red Hat Enterprise Linux AppStream (v.8): Source: evolution-3.28.5-16.el8.src.rpm evolution-data-server-3.28.5-15.el8.src.rpm evolution-ews-3.28.5-10.el8.src.rpm aarch64: evolution-3.28.5-16.el8.aarch64.rpm evolution-bogofilter-3.28.5-16.el8.aarch64.rpm evolution-bogofilter-debuginfo-3.28.5-16.el8.aarch64.rpm evolution-data-server-3.28.5-15.el8.aarch64.rpm evolution-data-server-debuginfo-3.28.5-15.el8.aarch64.rpm evolution-data-server-debugsource-3.28.5-15.el8.aarch64.rpm evolution-data-server-devel-3.28.5-15.el8.aarch64.rpm evolution-data-server-tests-debuginfo-3.28.5-15.el8.aarch64.rpm evolution-debuginfo-3.28.5-16.el8.aarch64.rpm evolution-debugsource-3.28.5-16.el8.aarch64.rpm evolution-ews-3.28.5-10.el8.aarch64.rpm evolution-ews-debuginfo-3.28.5-10.el8.aarch64.rpm evolution-ews-debugsource-3.28.5-10.el8.aarch64.rpm evolution-pst-3.28.5-16.el8.aarch64.rpm evolution-pst-debuginfo-3.28.5-16.el8.aarch64.rpm evolution-spamassassin-3.28.5-16.el8.aarch64.rpm evolution-spamassassin-debuginfo-3.28.5-16.el8.aarch64.rpm noarch: evolution-data-server-langpacks-3.28.5-15.el8.noarch.rpm evolution-ews-langpacks-3.28.5-10.el8.noarch.rpm evolution-help-3.28.5-16.el8.noarch.rpm evolution-langpacks-3.28.5-16.el8.noarch.rpm ppc64le: evolution-3.28.5-16.el8.ppc64le.rpm evolution-bogofilter-3.28.5-16.el8.ppc64le.rpm evolution-bogofilter-debuginfo-3.28.5-16.el8.ppc64le.rpm evolution-data-server-3.28.5-15.el8.ppc64le.rpm evolution-data-server-debuginfo-3.28.5-15.el8.ppc64le.rpm evolution-data-server-debugsource-3.28.5-15.el8.ppc64le.rpm evolution-data-server-devel-3.28.5-15.el8.ppc64le.rpm evolution-data-server-tests-debuginfo-3.28.5-15.el8.ppc64le.rpm evolution-debuginfo-3.28.5-16.el8.ppc64le.rpm evolution-debugsource-3.28.5-16.el8.ppc64le.rpm evolution-ews-3.28.5-10.el8.ppc64le.rpm evolution-ews-debuginfo-3.28.5-10.el8.ppc64le.rpm evolution-ews-debugsource-3.28.5-10.el8.ppc64le.rpm evolution-pst-3.28.5-16.el8.ppc64le.rpm evolution-pst-debuginfo-3.28.5-16.el8.ppc64le.rpm evolution-spamassassin-3.28.5-16.el8.ppc64le.rpm evolution-spamassassin-debuginfo-3.28.5-16.el8.ppc64le.rpm s390x: evolution-3.28.5-16.el8.s390x.rpm evolution-bogofilter-3.28.5-16.el8.s390x.rpm evolution-bogofilter-debuginfo-3.28.5-16.el8.s390x.rpm evolution-data-server-3.28.5-15.el8.s390x.rpm evolution-data-server-debuginfo-3.28.5-15.el8.s390x.rpm evolution-data-server-debugsource-3.28.5-15.el8.s390x.rpm evolution-data-server-devel-3.28.5-15.el8.s390x.rpm evolution-data-server-tests-debuginfo-3.28.5-15.el8.s390x.rpm evolution-debuginfo-3.28.5-16.el8.s390x.rpm evolution-debugsource-3.28.5-16.el8.s390x.rpm evolution-ews-3.28.5-10.el8.s390x.rpm evolution-ews-debuginfo-3.28.5-10.el8.s390x.rpm evolution-ews-debugsource-3.28.5-10.el8.s390x.rpm evolution-pst-3.28.5-16.el8.s390x.rpm evolution-pst-debuginfo-3.28.5-16.el8.s390x.rpm evolution-spamassassin-3.28.5-16.el8.s390x.rpm evolution-spamassassin-debuginfo-3.28.5-16.el8.s390x.rpm x86_64: evolution-3.28.5-16.el8.x86_64.rpm evolution-bogofilter-3.28.5-16.el8.x86_64.rpm evolution-bogofilter-debuginfo-3.28.5-16.el8.x86_64.rpm evolution-data-server-3.28.5-15.el8.i686.rpm evolution-data-server-3.28.5-15.el8.x86_64.rpm evolution-data-server-debuginfo-3.28.5-15.el8.i686.rpm evolution-data-server-debuginfo-3.28.5-15.el8.x86_64.rpm evolution-data-server-debugsource-3.28.5-15.el8.i686.rpm evolution-data-server-debugsource-3.28.5-15.el8.x86_64.rpm evolution-data-server-devel-3.28.5-15.el8.i686.rpm evolution-data-server-devel-3.28.5-15.el8.x86_64.rpm evolution-data-server-tests-debuginfo-3.28.5-15.el8.i686.rpm evolution-data-server-tests-debuginfo-3.28.5-15.el8.x86_64.rpm evolution-debuginfo-3.28.5-16.el8.x86_64.rpm evolution-debugsource-3.28.5-16.el8.x86_64.rpm evolution-ews-3.28.5-10.el8.x86_64.rpm evolution-ews-debuginfo-3.28.5-10.el8.x86_64.rpm evolution-ews-debugsource-3.28.5-10.el8.x86_64.rpm evolution-pst-3.28.5-16.el8.x86_64.rpm evolution-pst-debuginfo-3.28.5-16.el8.x86_64.rpm evolution-spamassassin-3.28.5-16.el8.x86_64.rpm evolution-spamassassin-debuginfo-3.28.5-16.el8.x86_64.rpm Red Hat CodeReady Linux Builder (v.8): aarch64: evolution-bogofilter-debuginfo-3.28.5-16.el8.aarch64.rpm evolution-data-server-debuginfo-3.28.5-15.el8.aarch64.rpm evolution-data-server-debugsource-3.28.5-15.el8.aarch64.rpm evolution-data-server-perl-3.28.5-15.el8.aarch64.rpm evolution-data-server-tests-3.28.5-15.el8.aarch64.rpm evolution-data-server-tests-debuginfo-3.28.5-15.el8.aarch64.rpm evolution-debuginfo-3.28.5-16.el8.aarch64.rpm evolution-debugsource-3.28.5-16.el8.aarch64.rpm evolution-devel-3.28.5-16.el8.aarch64.rpm evolution-pst-debuginfo-3.28.5-16.el8.aarch64.rpm evolution-spamassassin-debuginfo-3.28.5-16.el8.aarch64.rpm noarch: evolution-data-server-doc-3.28.5-15.el8.noarch.rpm ppc64le: evolution-bogofilter-debuginfo-3.28.5-16.el8.ppc64le.rpm evolution-data-server-debuginfo-3.28.5-15.el8.ppc64le.rpm evolution-data-server-debugsource-3.28.5-15.el8.ppc64le.rpm evolution-data-server-perl-3.28.5-15.el8.ppc64le.rpm evolution-data-server-tests-3.28.5-15.el8.ppc64le.rpm evolution-data-server-tests-debuginfo-3.28.5-15.el8.ppc64le.rpm evolution-debuginfo-3.28.5-16.el8.ppc64le.rpm evolution-debugsource-3.28.5-16.el8.ppc64le.rpm evolution-devel-3.28.5-16.el8.ppc64le.rpm evolution-pst-debuginfo-3.28.5-16.el8.ppc64le.rpm evolution-spamassassin-debuginfo-3.28.5-16.el8.ppc64le.rpm s390x: evolution-bogofilter-debuginfo-3.28.5-16.el8.s390x.rpm evolution-data-server-debuginfo-3.28.5-15.el8.s390x.rpm evolution-data-server-debugsource-3.28.5-15.el8.s390x.rpm evolution-data-server-perl-3.28.5-15.el8.s390x.rpm evolution-data-server-tests-3.28.5-15.el8.s390x.rpm evolution-data-server-tests-debuginfo-3.28.5-15.el8.s390x.rpm evolution-debuginfo-3.28.5-16.el8.s390x.rpm evolution-debugsource-3.28.5-16.el8.s390x.rpm evolution-devel-3.28.5-16.el8.s390x.rpm evolution-pst-debuginfo-3.28.5-16.el8.s390x.rpm evolution-spamassassin-debuginfo-3.28.5-16.el8.s390x.rpm x86_64: evolution-bogofilter-debuginfo-3.28.5-16.el8.i686.rpm evolution-bogofilter-debuginfo-3.28.5-16.el8.x86_64.rpm evolution-data-server-debuginfo-3.28.5-15.el8.i686.rpm evolution-data-server-debuginfo-3.28.5-15.el8.x86_64.rpm evolution-data-server-debugsource-3.28.5-15.el8.i686.rpm evolution-data-server-debugsource-3.28.5-15.el8.x86_64.rpm evolution-data-server-perl-3.28.5-15.el8.x86_64.rpm evolution-data-server-tests-3.28.5-15.el8.i686.rpm evolution-data-server-tests-3.28.5-15.el8.x86_64.rpm evolution-data-server-tests-debuginfo-3.28.5-15.el8.i686.rpm evolution-data-server-tests-debuginfo-3.28.5-15.el8.x86_64.rpm evolution-debuginfo-3.28.5-16.el8.i686.rpm evolution-debuginfo-3.28.5-16.el8.x86_64.rpm evolution-debugsource-3.28.5-16.el8.i686.rpm evolution-debugsource-3.28.5-16.el8.x86_64.rpm evolution-devel-3.28.5-16.el8.i686.rpm evolution-devel-3.28.5-16.el8.x86_64.rpm evolution-pst-debuginfo-3.28.5-16.el8.i686.rpm evolution-pst-debuginfo-3.28.5-16.el8.x86_64.rpm evolution-spamassassin-debuginfo-3.28.5-16.el8.i686.rpm evolution-spamassassin-debuginfo-3.28.5-16.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-16117 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.4_release_notes/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBYKPwHtzjgjWX9erEAQghpw/9H55Trf+AX3xW2qDPoNpYka4UcrlUIc40 WJF72phRvA1+I3A1fLV/SyzTgsM59yZi7pi6wqNeulO6kXp370IOR3GCRMQu3mpg /dFMmc2Z1ZQvckY9KCw+RIM1Nh2BRNLdPp+BwubFEA2vUJ0lMG8aJtsyUtDqhOyc P/e6Kk3JEfKw7k5X9zcA+IK1SVtPbKX6d+Wj01d4ta4tj+mSuI9CQ8xwB0CHOPgN D8nHl1lj7WJcqsTD0hZrwpP0lu2j5icyD91aIFLz4PVAuBlBn/h2N8HyApfJRjRl cG8mhhh6R+tQqwMPTDtyEoNpchSZ2kJXTfX0m2WdzoGJgS3vp52euX6e9hkY3omB NGckTqVOpK/+h6XRO/xUi/BQO68T9INIuy7JZWnvlYe/3jD+ZgXDf3FgzcvD8XGx +74egTeUrth5ogKhtkxe1GeUTjrSo2+eUrzyrdwbaZtYYT69BjeNPYJfRiDuMXA+ yLICn15vN5aK8kNRIoS2uqkjryaEYh3xIGAUlLX162TyGn7BJVgd9i7CwnaYLkpV dc4RK0IVMsHbwLygHsTNcahTFtl6G8MZy4yg7BevtrTlErW++tBBY/zj5RzW1oxU Y3SGF2RC6kxgnRPACGiA7J6EzmoPj1HVdxeMXA+YemT42/T1+J8wCY5wsy1gCYK7 zen7h29zMQE=B1In -----END PGP SIGNATURE----- -- RHSA-announce mailing list
May 18, 2021
•Low
Red Hat
202
security advisorymoderateupdateopenSUSE: 2020:1707-1 Moderate: mailman Content Injection Fix
An update that fixes three vulnerabilities is now available.. openSUSE Security Update: Recommended update for mailman ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:1707-1 Rating: moderate References: #1171363 #1173369 Cross-References: CVE-2020-12108 CVE-2020-12137 CVE-2020-15011 Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for mailman to version 2.1.34 fixes the following issues: - The fix for lp#1859104 can result in ValueError being thrown on attempts to subscribe to a list. This is fixed and extended to apply REFUSE_SECOND_PENDING to unsubscription as well. (lp#1878458) - DMARC mitigation no longer misses if the domain name returned by DNS contains upper case. (lp#1881035) - A new WARN_MEMBER_OF_SUBSCRIBE setting can be set to No to prevent mailbombing of a member of a list with private rosters by repeated subscribe attempts. (lp#1883017) - Very long filenames for scrubbed attachments are now truncated. (lp#1884456) - A content injection vulnerability via the private login page has been fixed. CVE-2020-15011 (lp#1877379, bsc#1173369) - A content injection vulnerability via the options login page has been discovered and reported by Vishal Singh. CVE-2020-12108 (lp#1873722, bsc#1171363) - Bounce recognition for a non-compliant Yahoo format is added. - Archiving workaround for non-ascii in string.lowercase in some Python packages is added. - Thanks to Jim Popovitch, there is now a dmarc_moderation_addresses list setting that can be used to apply dmarc_moderation_action to mail From: addresses listed or matching listed regexps. This can be used to modify mail to addresses that don'taccept external mail From: themselves. - There is a new MAX_LISTNAME_LENGTH setting. The fix for lp#1780874 obtains a list of the names of all the all the lists in the installation in order to determine the maximum length of a legitimate list name. It does this on every web access and on sites with a very large number of lists, this can have performance implications. See the description in Defaults.py for more information. - Thanks to Ralf Jung there is now the ability to add text based captchas (aka textchas) to the listinfo subscribe form. See the documentation for the new CAPTCHA setting in Defaults.py for how to enable this. Also note that if you have custom listinfo.html templates, you will have to add a tag to those templates to make this work. This feature can be used in combination with or instead of the Google reCAPTCHA feature added in 2.1.26. - Thanks to Ralf Hildebrandt the web admin Membership Management section now has a feature to sync the list's membership with a list of email addresses as with the bin/sync_members command. - There is a new drop_cc list attribute set from DEFAULT_DROP_CC. This controls the dropping of addresses from the Cc: header in delivered messages by the duplicate avoidance process. (lp#1845751) - There is a new REFUSE_SECOND_PENDING mm_cfg.py setting that will cause a second request to subscribe to a list when there is already a pending confirmation for that user. This can be set to Yes to prevent mailbombing of a third party by repeatedly posting the subscribe form. (lp#1859104) - Fixed the confirm CGI to catch a rare TypeError on simultaneous confirmations of the same token. (lp#1785854) - Scrubbed application/octet-stream MIME parts will now be given a .bin extension instead of .obj. CVE-2020-12137 (lp#1886117) - Added bounce recognition for a non-compliant opensmtpd DSN with Action: error. (lp#1805137) - Corrected and augmented some security log messages. (lp#1810098) - Implemented use of QRUNNER_SLEEP_TIME for bin/qrunner --runner=All. (lp#1818205) - Leading/trailing spaces in provided email addresses for login to private archives and the user options page are now ignored. (lp#1818872) - Fixed the spelling of the --no-restart option for mailmanctl. - Fixed an issue where certain combinations of charset and invalid characters in a list's description could produce a List-ID header without angle brackets. (lp#1831321) - With the Postfix MTA and virtual domains, mappings for the site list -bounces and -request addresses in each virtual domain are now added to data/virtual-mailman (-owner was done in 2.1.24). (lp#1831777) - The paths.py module now extends sys.path with the result of site.getsitepackages() if available. (lp#1838866) - A bug causing a UnicodeDecodeError in preparing to send the confirmation request message to a new subscriber has been fixed. (lp#1851442) - The SimpleMatch heuristic bounce recognizer has been improved to not return most invalid email addresses. (lp#1859011) Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2020-1707=1 Package List: - openSUSE Leap 15.2 (x86_64): mailman-2.1.34-lp152.7.3.1 mailman-debuginfo-2.1.34-lp152.7.3.1 mailman-debugsource-2.1.34-lp152.7.3.1 References: https://www.suse.com/security/cve/CVE-2020-12108.html https://www.suse.com/security/cve/CVE-2020-12137.html https://www.suse.com/security/cve/CVE-2020-15011.html https://bugzilla.suse.com/1171363 https://bugzilla.suse.com/1173369 -- . Addresses multiple security issues in openSUSE mailman, boosting protection and usability with added featuresand enhancements.. mailman Update, openSUSE vulnerabilities, mailman security, recommended patch, email list management. . LinuxSecurity.com Team
Oct 22, 2020
OpenSUSE
89
security advisorysoftware updateFedoraFedora 32: 2020-20b748e81 Moderate: Mailman XSS Threat Fix
New version v2.1.32 Security fix for CVE-2020-12137 Change mode of /etc/mailman to 2755 (#1656765). --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-20b748e81e 2020-05-15 02:35:15.252239 --------------------------------------------------------------------------------Name : mailman Product : Fedora 32 Version : 2.1.32 Release : 2.fc32 URL : https://www.list.org/ Summary : Mailing list manager with built in Web access Description : Mailman is software to help manage email discussion lists, much like Majordomo and Smartmail. Unlike most similar products, Mailman gives each mailing list a webpage, and allows users to subscribe, unsubscribe, etc. over the Web. Even the list manager can administer his or her list entirely from the Web. Mailman also integrates most things people want to do with mailing lists, including archiving, mail news gateways, and so on. Documentation can be found in: /usr/share/doc/mailman When the package has finished installing, you will need to perform some additional installation steps, these are described in: /usr/share/doc/mailman/INSTALL.REDHAT --------------------------------------------------------------------------------Update Information: New version v2.1.32 Security fix for CVE-2020-12137 Change mode of /etc/mailman to 2755 (#1656765) --------------------------------------------------------------------------------ChangeLog: * Wed May 6 2020 Pavel Zhukov - 3:2.1.32-2 - Change mode of /etc/mailman to 2755 (#1656765) * Wed May 6 2020 Pavel Zhukov - 3:2.1.32-1 - New version v2.1.32 * Tue May 5 2020 Pavel Zhukov - 3:2.1.31-1 - New version v2.1.31 * Tue May 5 2020 Pavel Zhukov - 3:2.1.30-1 - New version v2.1.30 --------------------------------------------------------------------------------References: [ 1 ] Bug #1830007 - CVE-2020-12137 mailman: XSS via file attachments in list archives https://bugzilla.redhat.com/show_bug.cgi?id=1830007 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-20b748e81e' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
May 14, 2020
•Important
Fedora
98
security advisorybug fixdirectory traversalRed Hat Enterprise Linux 6 RHSA-2015:1417-01 Moderate: Mailman Bug Fix
Updated mailman packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: mailman security and bug fix update Advisory ID: RHSA-2015:1417-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2015:1417.html Issue date: 2015-07-22 Updated on: 2015-03-16 CVE Names: CVE-2002-0389 CVE-2015-2775 ==================================================================== 1. Summary: Updated mailman packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: Mailman is a program used to help manage e-mail discussion lists. It was found that mailman did not sanitize the list name before passing it to certain MTAs. A local attacker could use this flaw to execute arbitrary code as the user running mailman. (CVE-2015-2775) It was found that mailman stored private email messages in a world-readable directory. A local user could use this flaw to read private mailing list archives. (CVE-2002-0389) This update also fixes the following bugs: * Previously, it was impossible to configure Mailman in a way that Domain-based Message Authentication, Reporting & Conformance (DMARC) would recognizeSender alignment for Domain Key Identified Mail (DKIM) signatures. Consequently, Mailman list subscribers that belonged to a mail server with a "reject" policy for DMARC, such as yahoo.com or AOL.com, were unable to receive Mailman forwarded messages from senders residing in any domain that provided DKIM signatures. With this update, domains with a "reject" DMARC policy are recognized correctly, and Mailman list administrators are able to configure the way these messages are handled. As a result, after a proper configuration, subscribers now correctly receive Mailman forwarded messages in this scenario. (BZ#1095359) * Mailman used a console encoding when generating a subject for a "welcome email" when new mailing lists were created by the "newlist" command. Consequently, when the console encoding did not match the encoding used by Mailman for that particular language, characters in the "welcome email" could be displayed incorrectly. Mailman has been fixed to use the correct encoding, and characters in the "welcome email" are now displayed properly. (BZ#1056366) * The "rmlist" command used a hardcoded path to list data based on the VAR_PREFIX configuration variable. As a consequence, when the list was created outside of VAR_PREFIX, it was impossible to remove it using the "rmlist" command. With this update, the "rmlist" command uses the correct LIST_DATA_DIR value instead of VAR_PREFIX, and it is now possible to remove the list in described situation. (BZ#1008139) * Due to an incompatibility between Python and Mailman in Red Hat Enterprise Linux 6, when moderators were approving a moderated message to a mailing list and checked the "Preserve messages for the site administrator" checkbox, Mailman failed to approve the message and returned an error. This incompatibility has been fixed, and Mailman now approves messages as expected in this scenario. (BZ#765807) * When Mailman was set to not archive a list but the archive was not set to private, attachments sent to that list were placed in a publicarchive. Consequently, users of Mailman web interface could list private attachments because httpd configuration of public archive directory allows listing all files in the archive directory. The httpd configuration of Mailman has been fixed to not allow listing of private archive directory, and users of Mailman web interface are no longer able to list private attachments. (BZ#745409) Users of mailman are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 723584 - CVE-2002-0389 mailman: Local users able to read private mailing list archives 745409 - default httpd config for Mailman offers directory listings for lists with disabled but public archives 765807 - Messages to moderated queues are put in shunt box 1008139 - rmlist fails if list_data_dir is not a child of var_prefix 1056366 - The subject of the welcome email is character garbled when creating a new mailing list with the new list command of mailman. 1095359 - Yahoo.com and AOL DMARC reject policies cripples Mailman-2.1.12 - update to newer release 1208059 - CVE-2015-2775 mailman: directory traversal in MTA transports that deliver programmatically 6. Package List: Red Hat Enterprise Linux Server (v. 6): Source: mailman-2.1.12-25.el6.src.rpm i386: mailman-2.1.12-25.el6.i686.rpm mailman-debuginfo-2.1.12-25.el6.i686.rpm ppc64: mailman-2.1.12-25.el6.ppc64.rpm mailman-debuginfo-2.1.12-25.el6.ppc64.rpm s390x: mailman-2.1.12-25.el6.s390x.rpm mailman-debuginfo-2.1.12-25.el6.s390x.rpm x86_64: mailman-2.1.12-25.el6.x86_64.rpm mailman-debuginfo-2.1.12-25.el6.x86_64.rpm Red Hat Enterprise Linux Workstation (v.6): Source: mailman-2.1.12-25.el6.src.rpm i386: mailman-2.1.12-25.el6.i686.rpm mailman-debuginfo-2.1.12-25.el6.i686.rpm x86_64: mailman-2.1.12-25.el6.x86_64.rpm mailman-debuginfo-2.1.12-25.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2002-0389 https://access.redhat.com/security/cve/CVE-2015-2775 https://access.redhat.com/security/updates/classification#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFVrzaMXlSAg2UNWIIRAlYTAKCbD3DLuXQkBw6nLzSYUSQeOs+TJgCgwv6O 4G6fvU2dMvXPlJGbYXYEkWg=miZh -----END PGP SIGNATURE----- -- Enterprise-watch-list mailing list
Jul 22, 2015
Red Hat
98
security advisorymoderateRed HatOracle: ORCL-2023-0569-01 essential: MySQL Security Patch
Updated mailman packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: mailman security and bug fix update Advisory ID: RHSA-2015:1153-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2015:1153.html Issue date: 2015-06-23 CVE Names: CVE-2015-2775 ==================================================================== 1. Summary: Updated mailman packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: Mailman is a program used to help manage email discussion lists. It was found that mailman did not sanitize the list name before passing it to certain MTAs. A local attacker could use this flaw to execute arbitrary code as the user running mailman. (CVE-2015-2775) This update also fixes the following bugs: * Previously, it was impossible to configure Mailman in a way that Domain-based Message Authentication, Reporting & Conformance (DMARC) would recognize Sender alignment for Domain Key Identified Mail (DKIM) signatures. Consequently, Mailman list subscribers that belonged to a mail server with a "reject" policy for DMARC, such as yahoo.com or AOL.com, were unable to receive Mailman forwarded messagesfrom senders residing in any domain that provided DKIM signatures. With this update, domains with a "reject" DMARC policy are recognized correctly, and Mailman list administrators are able to configure the way these messages are handled. As a result, after a proper configuration, subscribers now correctly receive Mailman forwarded messages in this scenario. (BZ#1229288) * Previously, the /etc/mailman file had incorrectly set permissions, which in some cases caused removing Mailman lists to fail with a "'NoneType' object has no attribute 'close'" message. With this update, the permissions value for /etc/mailman is correctly set to 2775 instead of 0755, and removing Mailman lists now works as expected. (BZ#1229307) * Prior to this update, the mailman utility incorrectly installed the tmpfiles configuration in the /etc/tmpfiles.d/ directory. As a consequence, changes made to mailman tmpfiles configuration were overwritten if the mailman packages were reinstalled or updated. The mailman utility now installs the tmpfiles configuration in the /usr/lib/tmpfiles.d/ directory, and changes made to them by the user are preserved on reinstall or update. (BZ#1229306) All mailman users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1208059 - CVE-2015-2775 mailman: directory traversal in MTA transports that deliver programmatically 1229288 - Yahoo.com and AOL DMARC reject policies cripples Mailman-2.1.12 - update to newer release 1229307 - /etc/mailman has wrong permissions 0755 instead of 2775 6. Package List: Red Hat Enterprise Linux Server (v.7): Source: mailman-2.1.15-21.el7_1.src.rpm ppc64: mailman-2.1.15-21.el7_1.ppc64.rpm mailman-debuginfo-2.1.15-21.el7_1.ppc64.rpm s390x: mailman-2.1.15-21.el7_1.s390x.rpm mailman-debuginfo-2.1.15-21.el7_1.s390x.rpm x86_64: mailman-2.1.15-21.el7_1.x86_64.rpm mailman-debuginfo-2.1.15-21.el7_1.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: mailman-2.1.15-21.ael7b_1.src.rpm ppc64le: mailman-2.1.15-21.ael7b_1.ppc64le.rpm mailman-debuginfo-2.1.15-21.ael7b_1.ppc64le.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: mailman-2.1.15-21.el7_1.src.rpm x86_64: mailman-2.1.15-21.el7_1.x86_64.rpm mailman-debuginfo-2.1.15-21.el7_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2015-2775 https://access.redhat.com/security/updates/classification#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFViUs9XlSAg2UNWIIRAuYlAJ4q2rAStzwEbV1JGGjKY4tb1lhP/gCcCb5A btptJT3G85uqbP5yWdDNJoU=xWgW -----END PGP SIGNATURE----- -- Enterprise-watch-list mailing list
Jun 23, 2015
Red Hat
98
security advisorymoderateRed HatRed Hat: 2011:0307-01 Moderate Advisory for Mailman XSS Vulnerabilities
An updated mailman package that fixes multiple security issues is now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate [More...]. ==================================================================== Red Hat Security Advisory Synopsis: Moderate: mailman security update Advisory ID: RHSA-2011:0307-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2011:0307.html Issue date: 2011-03-01 CVE Names: CVE-2008-0564 CVE-2010-3089 CVE-2011-0707 ==================================================================== 1. Summary: An updated mailman package that fixes multiple security issues is now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: Mailman is a program used to help manage email discussion lists. Multiple input sanitization flaws were found in the way Mailman displayed usernames of subscribed users on certain pages. If a user who is subscribed to a mailing list were able to trick a victim into visiting one of those pages, they could perform a cross-site scripting (XSS) attack against the victim. (CVE-2011-0707) Multiple input sanitization flaws were found in the way Mailman displayed mailing list information. A mailing list administrator coulduse this flaw to conduct a cross-site scripting (XSS) attack against victims viewing a list's "listinfo" page. (CVE-2008-0564, CVE-2010-3089) Red Hat would like to thank Mark Sapiro for reporting the CVE-2011-0707 and CVE-2010-3089 issues. Users of mailman should upgrade to this updated package, which contains backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 431526 - CVE-2008-0564 mailman: XSS triggerable by list administrator 631881 - CVE-2010-3089 mailman: Multiple security flaws leading to cross-site scripting (XSS) attacks 677375 - CVE-2011-0707 Mailman: Three XSS flaws due improper escaping of the full name of the member 6. Package List: Red Hat Enterprise Linux AS version 4: Source: i386: mailman-2.1.5.1-34.rhel4.7.i386.rpm mailman-debuginfo-2.1.5.1-34.rhel4.7.i386.rpm ia64: mailman-2.1.5.1-34.rhel4.7.ia64.rpm mailman-debuginfo-2.1.5.1-34.rhel4.7.ia64.rpm ppc: mailman-2.1.5.1-34.rhel4.7.ppc.rpm mailman-debuginfo-2.1.5.1-34.rhel4.7.ppc.rpm s390: mailman-2.1.5.1-34.rhel4.7.s390.rpm mailman-debuginfo-2.1.5.1-34.rhel4.7.s390.rpm s390x: mailman-2.1.5.1-34.rhel4.7.s390x.rpm mailman-debuginfo-2.1.5.1-34.rhel4.7.s390x.rpm x86_64: mailman-2.1.5.1-34.rhel4.7.x86_64.rpm mailman-debuginfo-2.1.5.1-34.rhel4.7.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: i386: mailman-2.1.5.1-34.rhel4.7.i386.rpm mailman-debuginfo-2.1.5.1-34.rhel4.7.i386.rpm x86_64: mailman-2.1.5.1-34.rhel4.7.x86_64.rpm mailman-debuginfo-2.1.5.1-34.rhel4.7.x86_64.rpm Red Hat Enterprise Linux ES version4: Source: i386: mailman-2.1.5.1-34.rhel4.7.i386.rpm mailman-debuginfo-2.1.5.1-34.rhel4.7.i386.rpm ia64: mailman-2.1.5.1-34.rhel4.7.ia64.rpm mailman-debuginfo-2.1.5.1-34.rhel4.7.ia64.rpm x86_64: mailman-2.1.5.1-34.rhel4.7.x86_64.rpm mailman-debuginfo-2.1.5.1-34.rhel4.7.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: i386: mailman-2.1.5.1-34.rhel4.7.i386.rpm mailman-debuginfo-2.1.5.1-34.rhel4.7.i386.rpm ia64: mailman-2.1.5.1-34.rhel4.7.ia64.rpm mailman-debuginfo-2.1.5.1-34.rhel4.7.ia64.rpm x86_64: mailman-2.1.5.1-34.rhel4.7.x86_64.rpm mailman-debuginfo-2.1.5.1-34.rhel4.7.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: i386: mailman-2.1.9-6.el5_6.1.i386.rpm mailman-debuginfo-2.1.9-6.el5_6.1.i386.rpm x86_64: mailman-2.1.9-6.el5_6.1.x86_64.rpm mailman-debuginfo-2.1.9-6.el5_6.1.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: i386: mailman-2.1.9-6.el5_6.1.i386.rpm mailman-debuginfo-2.1.9-6.el5_6.1.i386.rpm ia64: mailman-2.1.9-6.el5_6.1.ia64.rpm mailman-debuginfo-2.1.9-6.el5_6.1.ia64.rpm ppc: mailman-2.1.9-6.el5_6.1.ppc.rpm mailman-debuginfo-2.1.9-6.el5_6.1.ppc.rpm s390x: mailman-2.1.9-6.el5_6.1.s390x.rpm mailman-debuginfo-2.1.9-6.el5_6.1.s390x.rpm x86_64: mailman-2.1.9-6.el5_6.1.x86_64.rpm mailman-debuginfo-2.1.9-6.el5_6.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://access.redhat.com/security/cve/CVE-2008-0564 https://access.redhat.com/security/cve/CVE-2010-3089 https://access.redhat.com/security/cve/CVE-2011-0707 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2011 Red Hat, Inc. . A revised mailman package addresses several security vulnerabilities for Red Hat, enhancing email handling and safeguarding against XSS attacks.. mailman SecurityUpdate,XSS Flaws,Red Hat Advisory,Email Management,Security Updates. . LinuxSecurity.com Team
Mar 01, 2011
Red Hat
98
security advisoryRed Hatsecurity fixRed Hat: RHSA-2005:137-01 Important: Mailman Security Flaw Access
Updated mailman packages to correct a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team.. - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Important: mailman security update Advisory ID: RHSA-2005:137-01 Advisory URL: https://access.redhat.com/errata/RHSA-2005:137.html Issue date: 2005-02-15 Updated on: 2005-02-15 Product: Red Hat Enterprise Linux CVE Names: CAN-2005-0202 - ---------------------------------------------------------------------1. Summary: Updated mailman packages to correct a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Problem description: Mailman is software to help manage email discussion lists. A flaw in the true_path function of Mailman was discovered. A remote attacker who is a member of a private mailman list could use a carefully crafted URL and gain access to arbitrary files on the server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0202 to this issue. Note: Mailman installations running on Apache 2.0-based servers are not vulnerable to this issue. Users of Mailman should update to these erratum packages that contain a patch and are not vulnerable to this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download andupdate your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10/ 5. Bug IDs fixed (http://bugzilla.redhat.com/): 147344 - CAN-2005-0202 mailman flaw 6. RPMs required: Red Hat Enterprise Linux AS version 4: SRPMS: ad672a2d1781f5ae59185fcf7f6c2bbc mailman-2.1.5-31.rhel4.src.rpm i386: acae7750fb5a10b3cf4c48b98c5bae02 mailman-2.1.5-31.rhel4.i386.rpm ia64: 9762cb809921814537ec2fed5236383f mailman-2.1.5-31.rhel4.ia64.rpm ppc: 45efaecb49707ae8f6d5f530cf114deb mailman-2.1.5-31.rhel4.ppc.rpm s390: 9572eac980ee2013e0ce991d8936a7d6 mailman-2.1.5-31.rhel4.s390.rpm s390x: b50808f3b6bdd658b664320af68c5d0d mailman-2.1.5-31.rhel4.s390x.rpm x86_64: 3cba282612d0ca34edc58dae386c5d21 mailman-2.1.5-31.rhel4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: SRPMS: ad672a2d1781f5ae59185fcf7f6c2bbc mailman-2.1.5-31.rhel4.src.rpm i386: acae7750fb5a10b3cf4c48b98c5bae02 mailman-2.1.5-31.rhel4.i386.rpm x86_64: 3cba282612d0ca34edc58dae386c5d21 mailman-2.1.5-31.rhel4.x86_64.rpm Red Hat Enterprise Linux ES version 4: SRPMS: ad672a2d1781f5ae59185fcf7f6c2bbc mailman-2.1.5-31.rhel4.src.rpm i386: acae7750fb5a10b3cf4c48b98c5bae02 mailman-2.1.5-31.rhel4.i386.rpm ia64: 9762cb809921814537ec2fed5236383f mailman-2.1.5-31.rhel4.ia64.rpm x86_64: 3cba282612d0ca34edc58dae386c5d21 mailman-2.1.5-31.rhel4.x86_64.rpm Red Hat Enterprise Linux WS version 4: SRPMS: ad672a2d1781f5ae59185fcf7f6c2bbc mailman-2.1.5-31.rhel4.src.rpm i386: acae7750fb5a10b3cf4c48b98c5bae02 mailman-2.1.5-31.rhel4.i386.rpm ia64: 9762cb809921814537ec2fed5236383f mailman-2.1.5-31.rhel4.ia64.rpm x86_64: 3cba282612d0ca34edc58dae386c5d21 mailman-2.1.5-31.rhel4.x86_64.rpm These packages are GPG signedby Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key#package 7. References: https://www.cve.org/CVERecord?id=CAN-2005-0202 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2005 Red Hat, Inc. . The latest Mailman revision for Red Hat has been released, resolving a critical security vulnerability affecting mailing lists. Users are encouraged to update promptly.. Red Hat Security, Mailman Update, Security Risk, Email Management. . Severity: Important. LinuxSecurity.com Team
Feb 15, 2005
•Important
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!