Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2018:4296-1

Опубликовано: 28 дек. 2018
Источник: suse-cvrf

Описание

Security update for mailman

This update for mailman fixes the following security vulnerabilities:

  • Fixed a XSS vulnerability and information leak in user options CGI, which could be used to execute arbitrary scripts in the user's browser via specially encoded URLs (bsc#1077358 CVE-2018-5950)
  • Fixed a directory traversal vulnerability in MTA transports when using the recommended Mailman Transport for Exim (bsc#925502 CVE-2015-2775)
  • Fixed a XSS vulnerability, which allowed malicious listowners to inject scripts into the listinfo pages (bsc#1099510 CVE-2018-0618)
  • Fixed arbitrary text injection vulnerability in several mailman CGIs (CVE-2018-13796 bsc#1101288)
  • Fixed a CSRF vulnerability on the user options page (CVE-2016-6893 bsc#995352)

Список пакетов

SUSE Enterprise Storage 4
mailman-2.1.17-3.3.3
SUSE Linux Enterprise Server 12 SP1-LTSS
mailman-2.1.17-3.3.3
SUSE Linux Enterprise Server 12 SP2-BCL
mailman-2.1.17-3.3.3
SUSE Linux Enterprise Server 12 SP2-LTSS
mailman-2.1.17-3.3.3
SUSE Linux Enterprise Server 12 SP3
mailman-2.1.17-3.3.3
SUSE Linux Enterprise Server 12 SP4
mailman-2.1.17-3.3.3
SUSE Linux Enterprise Server 12-LTSS
mailman-2.1.17-3.3.3
SUSE Linux Enterprise Server for SAP Applications 12 SP1
mailman-2.1.17-3.3.3
SUSE Linux Enterprise Server for SAP Applications 12 SP2
mailman-2.1.17-3.3.3
SUSE Linux Enterprise Server for SAP Applications 12 SP3
mailman-2.1.17-3.3.3
SUSE Linux Enterprise Server for SAP Applications 12 SP4
mailman-2.1.17-3.3.3
SUSE OpenStack Cloud 7
mailman-2.1.17-3.3.3

Ссылки

Описание

Directory traversal vulnerability in GNU Mailman before 2.1.20, when not using a static alias, allows remote attackers to execute arbitrary files via a .. (dot dot) in a list name.

Затронутые продукты
SUSE Enterprise Storage 4:mailman-2.1.17-3.3.3
SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.3.3
SUSE Linux Enterprise Server 12 SP2-BCL:mailman-2.1.17-3.3.3
SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.3.3
Ссылки

Описание

Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x before 2.1.23 allows remote attackers to hijack the authentication of arbitrary users for requests that modify an option, as demonstrated by gaining access to the credentials of a victim's account.

Затронутые продукты
SUSE Enterprise Storage 4:mailman-2.1.17-3.3.3
SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.3.3
SUSE Linux Enterprise Server 12 SP2-BCL:mailman-2.1.17-3.3.3
SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.3.3
Ссылки

Описание

Cross-site scripting vulnerability in Mailman 2.1.26 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.

Затронутые продукты
SUSE Enterprise Storage 4:mailman-2.1.17-3.3.3
SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.3.3
SUSE Linux Enterprise Server 12 SP2-BCL:mailman-2.1.17-3.3.3
SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.3.3
Ссылки

Описание

An issue was discovered in GNU Mailman before 2.1.28. A crafted URL can cause arbitrary text to be displayed on a web page from a trusted site.

Затронутые продукты
SUSE Enterprise Storage 4:mailman-2.1.17-3.3.3
SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.3.3
SUSE Linux Enterprise Server 12 SP2-BCL:mailman-2.1.17-3.3.3
SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.3.3
Ссылки

Описание

Cross-site scripting (XSS) vulnerability in the web UI in Mailman before 2.1.26 allows remote attackers to inject arbitrary web script or HTML via a user-options URL.

Затронутые продукты
SUSE Enterprise Storage 4:mailman-2.1.17-3.3.3
SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.3.3
SUSE Linux Enterprise Server 12 SP2-BCL:mailman-2.1.17-3.3.3
SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.3.3
Ссылки
Уязвимость SUSE-SU-2018:4296-1