Описание
Security update for mailman
This update for mailman fixes the following issues:
Security issue fixed:
- CVE-2020-12108: Fixed a content injection bug (bsc#1171363).
- CVE-2020-12137: Fixed a XSS vulnerability caused by MIME type confusion (bsc#1170558).
Non-security issue fixed:
- Fixed rights and ownership on /var/lib/mailman/archives (bsc#1167068).
- Don't default to invalid hosts for DEFAULT_EMAIL_HOST (bsc#682920).
Список пакетов
HPE Helion OpenStack 8
mailman-2.1.17-3.20.1
SUSE Enterprise Storage 5
mailman-2.1.17-3.20.1
SUSE Linux Enterprise Server 12 SP1-LTSS
mailman-2.1.17-3.20.1
SUSE Linux Enterprise Server 12 SP2-BCL
mailman-2.1.17-3.20.1
SUSE Linux Enterprise Server 12 SP2-LTSS
mailman-2.1.17-3.20.1
SUSE Linux Enterprise Server 12 SP3-BCL
mailman-2.1.17-3.20.1
SUSE Linux Enterprise Server 12 SP3-LTSS
mailman-2.1.17-3.20.1
SUSE Linux Enterprise Server 12 SP4
mailman-2.1.17-3.20.1
SUSE Linux Enterprise Server 12 SP5
mailman-2.1.17-3.20.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1
mailman-2.1.17-3.20.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2
mailman-2.1.17-3.20.1
SUSE Linux Enterprise Server for SAP Applications 12 SP3
mailman-2.1.17-3.20.1
SUSE Linux Enterprise Server for SAP Applications 12 SP4
mailman-2.1.17-3.20.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5
mailman-2.1.17-3.20.1
SUSE OpenStack Cloud 7
mailman-2.1.17-3.20.1
SUSE OpenStack Cloud 8
mailman-2.1.17-3.20.1
SUSE OpenStack Cloud Crowbar 8
mailman-2.1.17-3.20.1
Ссылки
- Link for SUSE-SU-2020:1301-1
- E-Mail link for SUSE-SU-2020:1301-1
- SUSE Security Ratings
- SUSE Bug 1167068
- SUSE Bug 1170558
- SUSE Bug 1171363
- SUSE Bug 682920
- SUSE CVE CVE-2020-12108 page
- SUSE CVE CVE-2020-12137 page
Описание
/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection.
Затронутые продукты
HPE Helion OpenStack 8:mailman-2.1.17-3.20.1
SUSE Enterprise Storage 5:mailman-2.1.17-3.20.1
SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1
SUSE Linux Enterprise Server 12 SP2-BCL:mailman-2.1.17-3.20.1
Ссылки
- CVE-2020-12108
- SUSE Bug 1171363
Описание
GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.
Затронутые продукты
HPE Helion OpenStack 8:mailman-2.1.17-3.20.1
SUSE Enterprise Storage 5:mailman-2.1.17-3.20.1
SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1
SUSE Linux Enterprise Server 12 SP2-BCL:mailman-2.1.17-3.20.1
Ссылки
- CVE-2020-12137
- SUSE Bug 1170558