openSUSE Security Update: Recommended update for mailman
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2020:1707-1
Rating:             moderate
References:         #1171363 #1173369 
Cross-References:   CVE-2020-12108 CVE-2020-12137 CVE-2020-15011
                   
Affected Products:
                    openSUSE Leap 15.2
______________________________________________________________________________

   An update that fixes three vulnerabilities is now available.

Description:


   This update for mailman to version 2.1.34 fixes the following issues:

    - The fix for lp#1859104 can result in ValueError being thrown
      on attempts to subscribe to a list. This is fixed and extended to apply
       REFUSE_SECOND_PENDING to unsubscription as well. (lp#1878458)
    - DMARC mitigation no longer misses if the domain name returned by DNS
      contains upper case. (lp#1881035)
    - A new WARN_MEMBER_OF_SUBSCRIBE setting can be set to No to prevent
      mailbombing of a member of a list with private rosters by repeated
      subscribe attempts. (lp#1883017)
    - Very long filenames for scrubbed attachments are now truncated.
      (lp#1884456)
    - A content injection vulnerability via the private login page has been
      fixed. CVE-2020-15011  (lp#1877379, bsc#1173369)
    - A content injection vulnerability via the options login page has been
      discovered and reported by Vishal Singh. CVE-2020-12108 (lp#1873722,
      bsc#1171363)
    - Bounce recognition for a non-compliant Yahoo format is added.
    - Archiving workaround for non-ascii in string.lowercase in some Python
      packages is added.
    - Thanks to Jim Popovitch, there is now a dmarc_moderation_addresses list
      setting that can be used to apply dmarc_moderation_action to mail From:
      addresses listed
      or matching listed regexps. This can be used to modify mail to
       addresses that don't accept external mail From: themselves.
    - There is a new MAX_LISTNAME_LENGTH setting. The fix for lp#1780874
      obtains a list of the names of all the all the lists in the
      installation in order to determine the maximum length of a legitimate
      list name. It does this on every web access and on sites with a very
      large number of lists, this can have performance implications. See the
      description in Defaults.py for more information.
    - Thanks to Ralf Jung there is now the ability to add text based captchas
      (aka textchas) to the listinfo subscribe form. See the documentation
      for the new CAPTCHA setting in Defaults.py for how to enable this. Also
      note that if you have custom listinfo.html templates, you will have to
      add a  tag to those templates to make this work. This
      feature can be used in combination with or instead of the Google
      reCAPTCHA feature added in 2.1.26.
    - Thanks to Ralf Hildebrandt the web admin Membership Management section
      now has a feature to sync the list's membership with a list of email
      addresses as with the bin/sync_members command.
    - There is a new drop_cc list attribute set from DEFAULT_DROP_CC. This
      controls the dropping of addresses from the Cc: header in delivered
      messages by the duplicate avoidance process. (lp#1845751)
    - There is a new REFUSE_SECOND_PENDING mm_cfg.py setting that will cause
      a second request to subscribe to a list when there is already a pending
      confirmation for that user. This can be set to Yes to prevent
      mailbombing of a third party by repeatedly posting the subscribe form.
      (lp#1859104)
    - Fixed the confirm CGI to catch a rare TypeError on simultaneous
      confirmations of the same token. (lp#1785854)
    - Scrubbed application/octet-stream MIME parts will now be given a .bin
      extension instead of .obj. CVE-2020-12137 (lp#1886117)
    - Added bounce recognition for a non-compliant opensmtpd DSN with Action:
      error. (lp#1805137)
    - Corrected and augmented some security log messages. (lp#1810098)
    - Implemented use of QRUNNER_SLEEP_TIME for bin/qrunner
      --runner=All. (lp#1818205)
    - Leading/trailing spaces in provided email addresses for login to
      private archives and the user options page are now ignored. (lp#1818872)
    - Fixed the spelling of the --no-restart option for mailmanctl.
    - Fixed an issue where certain combinations of charset and invalid
      characters in a list's description could produce a List-ID header
      without angle brackets. (lp#1831321)
    - With the Postfix MTA and virtual domains, mappings for the site list
      -bounces and -request addresses in each virtual domain are now added to
      data/virtual-mailman (-owner was done in 2.1.24). (lp#1831777)
    - The paths.py module now extends sys.path with the result of
      site.getsitepackages() if available. (lp#1838866)
    - A bug causing a UnicodeDecodeError in preparing to send the
      confirmation request message to a new subscriber has been fixed.
      (lp#1851442)
    - The SimpleMatch heuristic bounce recognizer has been improved to not
      return most invalid email addresses. (lp#1859011)


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.2:

      zypper in -t patch openSUSE-2020-1707=1



Package List:

   - openSUSE Leap 15.2 (x86_64):

      mailman-2.1.34-lp152.7.3.1
      mailman-debuginfo-2.1.34-lp152.7.3.1
      mailman-debugsource-2.1.34-lp152.7.3.1


References:

   https://www.suse.com/security/cve/CVE-2020-12108.html
   https://www.suse.com/security/cve/CVE-2020-12137.html
   https://www.suse.com/security/cve/CVE-2020-15011.html
   https://bugzilla.suse.com/1171363
   https://bugzilla.suse.com/1173369

--

openSUSE: 2020:1707-1: moderate: Recommended mailman

October 22, 2020
An update that fixes three vulnerabilities is now available.

Description

This update for mailman to version 2.1.34 fixes the following issues: - The fix for lp#1859104 can result in ValueError being thrown on attempts to subscribe to a list. This is fixed and extended to apply REFUSE_SECOND_PENDING to unsubscription as well. (lp#1878458) - DMARC mitigation no longer misses if the domain name returned by DNS contains upper case. (lp#1881035) - A new WARN_MEMBER_OF_SUBSCRIBE setting can be set to No to prevent mailbombing of a member of a list with private rosters by repeated subscribe attempts. (lp#1883017) - Very long filenames for scrubbed attachments are now truncated. (lp#1884456) - A content injection vulnerability via the private login page has been fixed. CVE-2020-15011 (lp#1877379, bsc#1173369) - A content injection vulnerability via the options login page has been discovered and reported by Vishal Singh. CVE-2020-12108 (lp#1873722, bsc#1171363) - Bounce recognition for a non-compliant Yahoo format is added. - Archiving workaround for non-ascii in string.lowercase in some Python packages is added. - Thanks to Jim Popovitch, there is now a dmarc_moderation_addresses list setting that can be used to apply dmarc_moderation_action to mail From: addresses listed or matching listed regexps. This can be used to modify mail to addresses that don't accept external mail From: themselves. - There is a new MAX_LISTNAME_LENGTH setting. The fix for lp#1780874 obtains a list of the names of all the all the lists in the installation in order to determine the maximum length of a legitimate list name. It does this on every web access and on sites with a very large number of lists, this can have performance implications. See the description in Defaults.py for more information. - Thanks to Ralf Jung there is now the ability to add text based captchas (aka textchas) to the listinfo subscribe form. See the documentation for the new CAPTCHA setting in Defaults.py for how to enable this. Also note that if you have custom listinfo.html templates, you will have to add a tag to those templates to make this work. This feature can be used in combination with or instead of the Google reCAPTCHA feature added in 2.1.26. - Thanks to Ralf Hildebrandt the web admin Membership Management section now has a feature to sync the list's membership with a list of email addresses as with the bin/sync_members command. - There is a new drop_cc list attribute set from DEFAULT_DROP_CC. This controls the dropping of addresses from the Cc: header in delivered messages by the duplicate avoidance process. (lp#1845751) - There is a new REFUSE_SECOND_PENDING mm_cfg.py setting that will cause a second request to subscribe to a list when there is already a pending confirmation for that user. This can be set to Yes to prevent mailbombing of a third party by repeatedly posting the subscribe form. (lp#1859104) - Fixed the confirm CGI to catch a rare TypeError on simultaneous confirmations of the same token. (lp#1785854) - Scrubbed application/octet-stream MIME parts will now be given a .bin extension instead of .obj. CVE-2020-12137 (lp#1886117) - Added bounce recognition for a non-compliant opensmtpd DSN with Action: error. (lp#1805137) - Corrected and augmented some security log messages. (lp#1810098) - Implemented use of QRUNNER_SLEEP_TIME for bin/qrunner --runner=All. (lp#1818205) - Leading/trailing spaces in provided email addresses for login to private archives and the user options page are now ignored. (lp#1818872) - Fixed the spelling of the --no-restart option for mailmanctl. - Fixed an issue where certain combinations of charset and invalid characters in a list's description could produce a List-ID header without angle brackets. (lp#1831321) - With the Postfix MTA and virtual domains, mappings for the site list -bounces and -request addresses in each virtual domain are now added to data/virtual-mailman (-owner was done in 2.1.24). (lp#1831777) - The paths.py module now extends sys.path with the result of site.getsitepackages() if available. (lp#1838866) - A bug causing a UnicodeDecodeError in preparing to send the confirmation request message to a new subscriber has been fixed. (lp#1851442) - The SimpleMatch heuristic bounce recognizer has been improved to not return most invalid email addresses. (lp#1859011)

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2020-1707=1


Package List

- openSUSE Leap 15.2 (x86_64): mailman-2.1.34-lp152.7.3.1 mailman-debuginfo-2.1.34-lp152.7.3.1 mailman-debugsource-2.1.34-lp152.7.3.1


References

https://www.suse.com/security/cve/CVE-2020-12108.html https://www.suse.com/security/cve/CVE-2020-12137.html https://www.suse.com/security/cve/CVE-2020-15011.html https://bugzilla.suse.com/1171363 https://bugzilla.suse.com/1173369--


Severity
Announcement ID: openSUSE-SU-2020:1707-1
Rating: moderate
Affected Products: openSUSE Leap 15.2

Related News

11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
2.Motherboard Esm H320
2 - 3 min read
The recently uncovered "Native Branch History Injection (BHI)" exploit against the Linux kernel marks a significant milestone in the ongoing battle
1.Penguin Landscape Esm H320
1 - 2 min read
There are compelling arguments in favor of Linux over Windows for desktop usage. Let's explore some advantages of choosing Linux over Windows for

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved