Описание
Security update for mailman
This update for mailman fixes the following issues:
Update to 2.1.35 to fix 2 security issues:
-
A potential for for a list member to carry out an off-line brute force attack to obtain the list admin password has been reported by Andre Protas, Richard Cloke and Andy Nuttall of Apple. This is fixed. CVE-2021-42096 (boo#1191959, LP:#1947639)
-
A CSRF attack via the user options page could allow takeover of a users account. This is fixed. CVE-2021-42097 (boo#1191960, LP:#1947640)
-
make package build reproducible (boo#1047218)
Список пакетов
openSUSE Leap 15.2
Ссылки
- E-Mail link for openSUSE-SU-2021:1436-1
- SUSE Security Ratings
- SUSE Bug 1047218
- SUSE Bug 1191959
- SUSE Bug 1191960
- SUSE CVE CVE-2021-42096 page
- SUSE CVE CVE-2021-42097 page
Описание
GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived from the admin password, and may be useful in conducting a brute-force attack against that password.
Затронутые продукты
Ссылки
- CVE-2021-42096
- SUSE Bug 1191959
Описание
GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover).
Затронутые продукты
Ссылки
- CVE-2021-42097
- SUSE Bug 1191960