SUSE Package Hub - openSUSE-2021-1452

Update Info

openSUSE-2021-1452

Security update for mailman

Type: security

Severity: important

Issued: 2021-11-05

Description:

This update for mailman fixes the following issues:

Update to 2.1.35 to fix 2 security issues: 

- A potential for for a list member to carry out an off-line brute force
  attack to obtain the list admin password has been reported by Andre
  Protas, Richard Cloke and Andy Nuttall of Apple.  This is fixed.
  CVE-2021-42096  (boo#1191959, LP:#1947639)
 
- A CSRF attack via the user options page could allow takeover of a users
  account.  This is fixed.  CVE-2021-42097  (boo#1191960, LP:#1947640)
- make package build reproducible (boo#1047218)

This update was imported from the openSUSE:Leap:15.2:Update update project.

References

CVE: CVE-2021-42097
CVE: CVE-2021-42096
Bugzilla: 1191960 VUL-0: CVE-2021-42097: mailman: remote privilege escalation in GNU Mailman before 2.1.35 via csrf_token
Bugzilla: 1191959 VUL-0: CVE-2021-42096: mailman: remote privilege escalation in GNU Mailman before 2.1.35 via csrf_token derived from admin password
Bugzilla: 1047218 trackerbug: packages do not build reproducibly from including build time

Packages

mailman-2.1.35-bp152.7.6.1