Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2360
mailman security update
13 July 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: mailman
Publisher: Debian
Operating System: Debian GNU/Linux 9
Impact/Access: Modify Arbitrary Files -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-15011 CVE-2020-12108
Reference: ESB-2020.2249
ESB-2020.2231
ESB-2020.1827
ESB-2020.1651
ESB-2020.1625
Original Bulletin:
https://www.debian.org/lts/security/2020/dla-2276
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- - -----------------------------------------------------------------------
Debian LTS Advisory DLA-2276-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
July 10, 2020 https://wiki.debian.org/LTS
- - -----------------------------------------------------------------------
Package : mailman
Version : 1:2.1.23-1+deb9u6
CVE ID : CVE-2020-12108 CVE-2020-15011
The following CVEs were reported against src:mailman.
CVE-2020-12108
/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary
Content Injection.
CVE-2020-15011
GNU Mailman before 2.1.33 allows arbitrary content injection via
the Cgi/private.py private archive login page.
For Debian 9 stretch, these problems have been fixed in version
1:2.1.23-1+deb9u6.
We recommend that you upgrade your mailman packages.
For the detailed security status of mailman please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mailman
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Best,
Utkarsh
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl8IyKQACgkQgj6WdgbD
S5ZeDxAAj2tECBcDFJ4wELrGVkdkj2nk7GDKNrOj+xx5BbjTpfbntYGyqQOpeYYA
H183MLSc+Imp7Kcw6vIpqNZkOs1aEK/vzajKozqdQS63X4K5O8cx5ekgy20lA1QE
GFVLIXdbtXO4GNOlLd97Ped6XLv9IdMvHSf1F2SE3a4gsu2hOGbZkb85dJoGuTmC
OwVnwan94CI4opgCRk9vC359wf1K1mUYGPSVav63WLtC5m3FCm/6zasKo35V+1Ee
C3iLkCBvBBjQpZor5kmB+7h2uNWmPYrmerlAvyhc+CtnuxmCuWwKdEvhfAoJ0Elk
Ws4RxnEYGWOADizf3nmyoyyftXfkv1HEi5Y8lsx39FONd+rcqF9cQ8b86bH5akgy
lM/5bzvOt9WxxJi5LsVS+x2NzUe1VNiwAbYnXVYaALVUKSbaYU683Wwdtiu+0sMA
O7bz/mEmEclrT6JKihY8kKt353zyMl2c/rHbeAMeqk/Rslgm/RwygbyVGc6f8L0s
4x0Liv5KWOqEAZ1+LYGe69K9qwjUnZ1rTueJQFSh78RVAjwmPV1qLADpICJOmrGB
pN2gZjUeHyS+Cbf6JNPT7TFy2Jv2f+Vi9/xbGK8a+DAUjv602JsZDyrk9JLWxvCQ
tHUUUjvDuGlqKO2I7JDKF+PFhb8jx45SFCVUf54Yxt61kOn9Pe0=
=DWeW
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXwvQZONLKJtyKPYoAQgwXw/8CGvk9kJFMCBN8jRUSKWoEE2y3fa7OkJk
4CWc5B7fzQuwzY4K3jlkwiWWQQXwix8Hj8mOxw5vQ0DcuofJMm/k/wjf/4dkn1gD
6AH7G91sPLUQavYmOCRWtqzkrBj/2cZ6D/7H/KRuswwO9gsYbUYjOUwwpKoid3Tr
CM8CYv3voVnptlTN4IfkB5yLiVhiaD0mBb/twz5ix+qzwQ/RjkCJ2DbdIkQfObIc
vQ30hq18sUPgLyA4Ki+PuhBdCElj1BOAd1oX8zOWdLRuOPLA1lbAZBg4hKIbMign
Wbfsb4TlXrrfThd9lPJKav3nWsXit9Ml/KuYeA0mX1zHoOQTmVKvDt7OmDYbq+Ht
dqNYeb9Qg6kh1CTNsdRdkpZQNBB3MpZoj2k087lck29CA4aS20aNbzhXF6qSUa8Y
xzOEbjO/XLsg3gVXiofQV4pa9VA9DuGg7wFyQlDXG2i5No9OhUrln7M9fGldAjat
vegoh2El3azMVKhfJsw75VsaEV/RHhBaoSGagkHYoXz/Li0spT8il2Ijde32Dh/w
ZoyhMek5P1j/vFvB0FF3KnbnzSfhB4aIblr+P6y5wNLLxhSFZiIWOcvH9spbbjyQ
NqySC2FLIgjFoAwEHWV5v/LR1duGQdAvX98tdAYVs2hapZAqynTA77cCJD3arZzM
GXtRwmETz/U=
=O3+y
-----END PGP SIGNATURE-----