Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2360 mailman security update 13 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: mailman Publisher: Debian Operating System: Debian GNU/Linux 9 Impact/Access: Modify Arbitrary Files -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-15011 CVE-2020-12108 Reference: ESB-2020.2249 ESB-2020.2231 ESB-2020.1827 ESB-2020.1651 ESB-2020.1625 Original Bulletin: https://www.debian.org/lts/security/2020/dla-2276 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ----------------------------------------------------------------------- Debian LTS Advisory DLA-2276-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Utkarsh Gupta July 10, 2020 https://wiki.debian.org/LTS - - ----------------------------------------------------------------------- Package : mailman Version : 1:2.1.23-1+deb9u6 CVE ID : CVE-2020-12108 CVE-2020-15011 The following CVEs were reported against src:mailman. CVE-2020-12108 /options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection. CVE-2020-15011 GNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login page. For Debian 9 stretch, these problems have been fixed in version 1:2.1.23-1+deb9u6. We recommend that you upgrade your mailman packages. For the detailed security status of mailman please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mailman Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Best, Utkarsh - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl8IyKQACgkQgj6WdgbD S5ZeDxAAj2tECBcDFJ4wELrGVkdkj2nk7GDKNrOj+xx5BbjTpfbntYGyqQOpeYYA H183MLSc+Imp7Kcw6vIpqNZkOs1aEK/vzajKozqdQS63X4K5O8cx5ekgy20lA1QE GFVLIXdbtXO4GNOlLd97Ped6XLv9IdMvHSf1F2SE3a4gsu2hOGbZkb85dJoGuTmC OwVnwan94CI4opgCRk9vC359wf1K1mUYGPSVav63WLtC5m3FCm/6zasKo35V+1Ee C3iLkCBvBBjQpZor5kmB+7h2uNWmPYrmerlAvyhc+CtnuxmCuWwKdEvhfAoJ0Elk Ws4RxnEYGWOADizf3nmyoyyftXfkv1HEi5Y8lsx39FONd+rcqF9cQ8b86bH5akgy lM/5bzvOt9WxxJi5LsVS+x2NzUe1VNiwAbYnXVYaALVUKSbaYU683Wwdtiu+0sMA O7bz/mEmEclrT6JKihY8kKt353zyMl2c/rHbeAMeqk/Rslgm/RwygbyVGc6f8L0s 4x0Liv5KWOqEAZ1+LYGe69K9qwjUnZ1rTueJQFSh78RVAjwmPV1qLADpICJOmrGB pN2gZjUeHyS+Cbf6JNPT7TFy2Jv2f+Vi9/xbGK8a+DAUjv602JsZDyrk9JLWxvCQ tHUUUjvDuGlqKO2I7JDKF+PFhb8jx45SFCVUf54Yxt61kOn9Pe0= =DWeW - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXwvQZONLKJtyKPYoAQgwXw/8CGvk9kJFMCBN8jRUSKWoEE2y3fa7OkJk 4CWc5B7fzQuwzY4K3jlkwiWWQQXwix8Hj8mOxw5vQ0DcuofJMm/k/wjf/4dkn1gD 6AH7G91sPLUQavYmOCRWtqzkrBj/2cZ6D/7H/KRuswwO9gsYbUYjOUwwpKoid3Tr CM8CYv3voVnptlTN4IfkB5yLiVhiaD0mBb/twz5ix+qzwQ/RjkCJ2DbdIkQfObIc vQ30hq18sUPgLyA4Ki+PuhBdCElj1BOAd1oX8zOWdLRuOPLA1lbAZBg4hKIbMign Wbfsb4TlXrrfThd9lPJKav3nWsXit9Ml/KuYeA0mX1zHoOQTmVKvDt7OmDYbq+Ht dqNYeb9Qg6kh1CTNsdRdkpZQNBB3MpZoj2k087lck29CA4aS20aNbzhXF6qSUa8Y xzOEbjO/XLsg3gVXiofQV4pa9VA9DuGg7wFyQlDXG2i5No9OhUrln7M9fGldAjat vegoh2El3azMVKhfJsw75VsaEV/RHhBaoSGagkHYoXz/Li0spT8il2Ijde32Dh/w ZoyhMek5P1j/vFvB0FF3KnbnzSfhB4aIblr+P6y5wNLLxhSFZiIWOcvH9spbbjyQ NqySC2FLIgjFoAwEHWV5v/LR1duGQdAvX98tdAYVs2hapZAqynTA77cCJD3arZzM GXtRwmETz/U= =O3+y -----END PGP SIGNATURE-----