Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2020-12108 (GCVE-0-2020-12108)
Vulnerability from cvelistv5
Published
2020-05-06 14:50
Modified
2024-08-04 11:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:48:58.484Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://code.launchpad.net/mailman"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mail.python.org/pipermail/mailman-announce/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.launchpad.net/mailman/+bug/1873722"
},
{
"name": "[debian-lts-announce] 20200507 [SECURITY] [DLA 2204-1] mailman security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00007.html"
},
{
"name": "openSUSE-SU-2020:0661",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00036.html"
},
{
"name": "USN-4354-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4354-1/"
},
{
"name": "openSUSE-SU-2020:0764",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00003.html"
},
{
"name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2276-1] mailman security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00007.html"
},
{
"name": "FEDORA-2020-62f2df3ca4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74EQIVFB34Q4UYAQLCUWG55YLKAUWCHD/"
},
{
"name": "openSUSE-SU-2020:1707",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00047.html"
},
{
"name": "openSUSE-SU-2020:1752",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00063.html"
},
{
"name": "DSA-4991",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4991"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-23T10:06:15",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://code.launchpad.net/mailman"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mail.python.org/pipermail/mailman-announce/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.launchpad.net/mailman/+bug/1873722"
},
{
"name": "[debian-lts-announce] 20200507 [SECURITY] [DLA 2204-1] mailman security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00007.html"
},
{
"name": "openSUSE-SU-2020:0661",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00036.html"
},
{
"name": "USN-4354-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4354-1/"
},
{
"name": "openSUSE-SU-2020:0764",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00003.html"
},
{
"name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2276-1] mailman security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00007.html"
},
{
"name": "FEDORA-2020-62f2df3ca4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74EQIVFB34Q4UYAQLCUWG55YLKAUWCHD/"
},
{
"name": "openSUSE-SU-2020:1707",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00047.html"
},
{
"name": "openSUSE-SU-2020:1752",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00063.html"
},
{
"name": "DSA-4991",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4991"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12108",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://code.launchpad.net/mailman",
"refsource": "MISC",
"url": "https://code.launchpad.net/mailman"
},
{
"name": "https://mail.python.org/pipermail/mailman-announce/",
"refsource": "MISC",
"url": "https://mail.python.org/pipermail/mailman-announce/"
},
{
"name": "https://bugs.launchpad.net/mailman/+bug/1873722",
"refsource": "CONFIRM",
"url": "https://bugs.launchpad.net/mailman/+bug/1873722"
},
{
"name": "[debian-lts-announce] 20200507 [SECURITY] [DLA 2204-1] mailman security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00007.html"
},
{
"name": "openSUSE-SU-2020:0661",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00036.html"
},
{
"name": "USN-4354-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4354-1/"
},
{
"name": "openSUSE-SU-2020:0764",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00003.html"
},
{
"name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2276-1] mailman security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00007.html"
},
{
"name": "FEDORA-2020-62f2df3ca4",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74EQIVFB34Q4UYAQLCUWG55YLKAUWCHD/"
},
{
"name": "openSUSE-SU-2020:1707",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00047.html"
},
{
"name": "openSUSE-SU-2020:1752",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00063.html"
},
{
"name": "DSA-4991",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4991"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12108",
"datePublished": "2020-05-06T14:50:33",
"dateReserved": "2020-04-23T00:00:00",
"dateUpdated": "2024-08-04T11:48:58.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2020-12108\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2020-05-06T15:15:11.240\",\"lastModified\":\"2024-11-21T04:59:15.730\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection.\"},{\"lang\":\"es\",\"value\":\"El archivo /options/mailman en GNU Mailman versiones anteriores a 2.1.31, permite una Inyecci\u00f3n de Contenido Arbitrario.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-74\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gnu:mailman:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.1.31\",\"matchCriteriaId\":\"D5D0E7D5-6A8B-4413-9363-43E5B26B7C38\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80F0FA5D-8D3B-4C0E-81E2-87998286AF33\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*\",\"matchCriteriaId\":\"40513095-7E6E-46B3-B604-C926F1BA3568\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensuse:backports_sle:15.0:sp2:*:*:*:*:*:*\",\"matchCriteriaId\":\"67E82302-4B77-44F3-97B1-24C18AC4A35D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B620311B-34A3-48A6-82DF-6F078D7A4493\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B009C22E-30A4-4288-BCF6-C3E81DEAF45A\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*\",\"matchCriteriaId\":\"7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D\"}]}]}],\"references\":[{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00036.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00003.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00047.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00063.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://bugs.launchpad.net/mailman/+bug/1873722\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://code.launchpad.net/mailman\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/05/msg00007.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/07/msg00007.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74EQIVFB34Q4UYAQLCUWG55YLKAUWCHD/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://mail.python.org/pipermail/mailman-announce/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/4354-1/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2021/dsa-4991\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00036.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00003.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00047.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00063.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://bugs.launchpad.net/mailman/+bug/1873722\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://code.launchpad.net/mailman\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/05/msg00007.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/07/msg00007.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74EQIVFB34Q4UYAQLCUWG55YLKAUWCHD/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://mail.python.org/pipermail/mailman-announce/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/4354-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2021/dsa-4991\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
rhsa-2021:1751
Vulnerability from csaf_redhat
Published
2021-05-18 13:59
Modified
2025-08-06 05:07
Summary
Red Hat Security Advisory: mailman:2.1 security update
Notes
Topic
An update for the mailman:2.1 module is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Mailman is a program used to help manage e-mail discussion lists.
Security Fix(es):
* mailman: arbitrary content injection via the options login page (CVE-2020-12108)
* mailman: arbitrary content injection via the private archive login page (CVE-2020-15011)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.4 Release Notes linked from the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the mailman:2.1 module is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Mailman is a program used to help manage e-mail discussion lists.\n\nSecurity Fix(es):\n\n* mailman: arbitrary content injection via the options login page (CVE-2020-12108)\n\n* mailman: arbitrary content injection via the private archive login page (CVE-2020-15011)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 8.4 Release Notes linked from the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2021:1751",
"url": "https://access.redhat.com/errata/RHSA-2021:1751"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.4_release_notes/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.4_release_notes/"
},
{
"category": "external",
"summary": "1848856",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848856"
},
{
"category": "external",
"summary": "1850684",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850684"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_1751.json"
}
],
"title": "Red Hat Security Advisory: mailman:2.1 security update",
"tracking": {
"current_release_date": "2025-08-06T05:07:10+00:00",
"generator": {
"date": "2025-08-06T05:07:10+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.6"
}
},
"id": "RHSA-2021:1751",
"initial_release_date": "2021-05-18T13:59:11+00:00",
"revision_history": [
{
"date": "2021-05-18T13:59:11+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2021-05-18T13:59:11+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-08-06T05:07:10+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.GA",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:8::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman:2.1:8040020200930071637:6435bff4",
"product": {
"name": "mailman:2.1:8040020200930071637:6435bff4",
"product_id": "mailman:2.1:8040020200930071637:6435bff4",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman@2.1?rpmmod=mailman:2.1:8040020200930071637:6435bff4"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.src",
"product": {
"name": "mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.src",
"product_id": "mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman@2.1.29-11.module%2Bel8.4.0%2B8277%2B5e2c6e6e?arch=src\u0026epoch=3"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64",
"product": {
"name": "mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64",
"product_id": "mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman@2.1.29-11.module%2Bel8.4.0%2B8277%2B5e2c6e6e?arch=x86_64\u0026epoch=3"
}
}
},
{
"category": "product_version",
"name": "mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64",
"product": {
"name": "mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64",
"product_id": "mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debuginfo@2.1.29-11.module%2Bel8.4.0%2B8277%2B5e2c6e6e?arch=x86_64\u0026epoch=3"
}
}
},
{
"category": "product_version",
"name": "mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64",
"product": {
"name": "mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64",
"product_id": "mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debugsource@2.1.29-11.module%2Bel8.4.0%2B8277%2B5e2c6e6e?arch=x86_64\u0026epoch=3"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"product": {
"name": "mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"product_id": "mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman@2.1.29-11.module%2Bel8.4.0%2B8277%2B5e2c6e6e?arch=s390x\u0026epoch=3"
}
}
},
{
"category": "product_version",
"name": "mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"product": {
"name": "mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"product_id": "mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debuginfo@2.1.29-11.module%2Bel8.4.0%2B8277%2B5e2c6e6e?arch=s390x\u0026epoch=3"
}
}
},
{
"category": "product_version",
"name": "mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"product": {
"name": "mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"product_id": "mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debugsource@2.1.29-11.module%2Bel8.4.0%2B8277%2B5e2c6e6e?arch=s390x\u0026epoch=3"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"product": {
"name": "mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"product_id": "mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman@2.1.29-11.module%2Bel8.4.0%2B8277%2B5e2c6e6e?arch=ppc64le\u0026epoch=3"
}
}
},
{
"category": "product_version",
"name": "mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"product": {
"name": "mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"product_id": "mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debuginfo@2.1.29-11.module%2Bel8.4.0%2B8277%2B5e2c6e6e?arch=ppc64le\u0026epoch=3"
}
}
},
{
"category": "product_version",
"name": "mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"product": {
"name": "mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"product_id": "mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debugsource@2.1.29-11.module%2Bel8.4.0%2B8277%2B5e2c6e6e?arch=ppc64le\u0026epoch=3"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"product": {
"name": "mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"product_id": "mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman@2.1.29-11.module%2Bel8.4.0%2B8277%2B5e2c6e6e?arch=aarch64\u0026epoch=3"
}
}
},
{
"category": "product_version",
"name": "mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"product": {
"name": "mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"product_id": "mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debuginfo@2.1.29-11.module%2Bel8.4.0%2B8277%2B5e2c6e6e?arch=aarch64\u0026epoch=3"
}
}
},
{
"category": "product_version",
"name": "mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"product": {
"name": "mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"product_id": "mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debugsource@2.1.29-11.module%2Bel8.4.0%2B8277%2B5e2c6e6e?arch=aarch64\u0026epoch=3"
}
}
}
],
"category": "architecture",
"name": "aarch64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman:2.1:8040020200930071637:6435bff4 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4"
},
"product_reference": "mailman:2.1:8040020200930071637:6435bff4",
"relates_to_product_reference": "AppStream-8.4.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64 as a component of mailman:2.1:8040020200930071637:6435bff4 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64"
},
"product_reference": "mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"relates_to_product_reference": "AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le as a component of mailman:2.1:8040020200930071637:6435bff4 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le"
},
"product_reference": "mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"relates_to_product_reference": "AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x as a component of mailman:2.1:8040020200930071637:6435bff4 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x"
},
"product_reference": "mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"relates_to_product_reference": "AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.src as a component of mailman:2.1:8040020200930071637:6435bff4 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.src"
},
"product_reference": "mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.src",
"relates_to_product_reference": "AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64 as a component of mailman:2.1:8040020200930071637:6435bff4 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64"
},
"product_reference": "mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64 as a component of mailman:2.1:8040020200930071637:6435bff4 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64"
},
"product_reference": "mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"relates_to_product_reference": "AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le as a component of mailman:2.1:8040020200930071637:6435bff4 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le"
},
"product_reference": "mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"relates_to_product_reference": "AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x as a component of mailman:2.1:8040020200930071637:6435bff4 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x"
},
"product_reference": "mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"relates_to_product_reference": "AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64 as a component of mailman:2.1:8040020200930071637:6435bff4 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64"
},
"product_reference": "mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64 as a component of mailman:2.1:8040020200930071637:6435bff4 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64"
},
"product_reference": "mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"relates_to_product_reference": "AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le as a component of mailman:2.1:8040020200930071637:6435bff4 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le"
},
"product_reference": "mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"relates_to_product_reference": "AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x as a component of mailman:2.1:8040020200930071637:6435bff4 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x"
},
"product_reference": "mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"relates_to_product_reference": "AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64 as a component of mailman:2.1:8040020200930071637:6435bff4 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64"
},
"product_reference": "mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-12108",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-05-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1848856"
}
],
"notes": [
{
"category": "description",
"text": "/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mailman: arbitrary content injection via the options login page",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.src",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-12108"
},
{
"category": "external",
"summary": "RHBZ#1848856",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848856"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-12108",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-12108"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-12108",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12108"
},
{
"category": "external",
"summary": "https://bugs.launchpad.net/mailman/+bug/1873722",
"url": "https://bugs.launchpad.net/mailman/+bug/1873722"
}
],
"release_date": "2020-05-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-05-18T13:59:11+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.src",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:1751"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.src",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "mailman: arbitrary content injection via the options login page"
},
{
"cve": "CVE-2020-15011",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-06-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1850684"
}
],
"notes": [
{
"category": "description",
"text": "GNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login page.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mailman: arbitrary content injection via the private archive login page",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.src",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-15011"
},
{
"category": "external",
"summary": "RHBZ#1850684",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850684"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-15011",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15011"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-15011",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15011"
}
],
"release_date": "2020-05-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-05-18T13:59:11+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.src",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:1751"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.src",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debuginfo-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.aarch64",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.ppc64le",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.s390x",
"AppStream-8.4.0.GA:mailman:2.1:8040020200930071637:6435bff4:mailman-debugsource-3:2.1.29-11.module+el8.4.0+8277+5e2c6e6e.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "mailman: arbitrary content injection via the private archive login page"
}
]
}
opensuse-su-2020:1707-1
Vulnerability from csaf_opensuse
Published
2020-10-22 12:27
Modified
2020-10-22 12:27
Summary
Recommended update for mailman
Notes
Title of the patch
Recommended update for mailman
Description of the patch
This update for mailman to version 2.1.34 fixes the following issues:
- The fix for lp#1859104 can result in ValueError being thrown
on attempts to subscribe to a list. This is fixed and
extended to apply REFUSE_SECOND_PENDING to unsubscription as
well. (lp#1878458)
- DMARC mitigation no longer misses if the domain name returned
by DNS contains upper case. (lp#1881035)
- A new WARN_MEMBER_OF_SUBSCRIBE setting can be set to No to
prevent mailbombing of a member of a list with private
rosters by repeated subscribe attempts. (lp#1883017)
- Very long filenames for scrubbed attachments are now
truncated. (lp#1884456)
- A content injection vulnerability via the private login page
has been fixed. CVE-2020-15011 (lp#1877379, bsc#1173369)
- A content injection vulnerability via the options login page
has been discovered and reported by Vishal Singh.
CVE-2020-12108 (lp#1873722, bsc#1171363)
- Bounce recognition for a non-compliant Yahoo format is added.
- Archiving workaround for non-ascii in string.lowercase in
some Python packages is added.
- Thanks to Jim Popovitch, there is now
a dmarc_moderation_addresses list setting that can be used to
apply dmarc_moderation_action to mail From: addresses listed
or matching listed regexps. This can be used to modify mail
to addresses that don't accept external mail From:
themselves.
- There is a new MAX_LISTNAME_LENGTH setting. The fix for
lp#1780874 obtains a list of the names of all the all the
lists in the installation in order to determine the maximum
length of a legitimate list name. It does this on every web
access and on sites with a very large number of lists, this
can have performance implications. See the description in
Defaults.py for more information.
- Thanks to Ralf Jung there is now the ability to add text
based captchas (aka textchas) to the listinfo subscribe form.
See the documentation for the new CAPTCHA setting in
Defaults.py for how to enable this. Also note that if you
have custom listinfo.html templates, you will have to add
a <mm-captcha-ui> tag to those templates to make this work.
This feature can be used in combination with or instead of
the Google reCAPTCHA feature added in 2.1.26.
- Thanks to Ralf Hildebrandt the web admin Membership
Management section now has a feature to sync the list's
membership with a list of email addresses as with the
bin/sync_members command.
- There is a new drop_cc list attribute set from
DEFAULT_DROP_CC. This controls the dropping of addresses from
the Cc: header in delivered messages by the duplicate
avoidance process. (lp#1845751)
- There is a new REFUSE_SECOND_PENDING mm_cfg.py setting that
will cause a second request to subscribe to a list when there
is already a pending confirmation for that user. This can be
set to Yes to prevent mailbombing of a third party by
repeatedly posting the subscribe form. (lp#1859104)
- Fixed the confirm CGI to catch a rare TypeError on
simultaneous confirmations of the same token. (lp#1785854)
- Scrubbed application/octet-stream MIME parts will now be
given a .bin extension instead of .obj. CVE-2020-12137
(lp#1886117)
- Added bounce recognition for a non-compliant opensmtpd DSN
with Action: error. (lp#1805137)
- Corrected and augmented some security log messages.
(lp#1810098)
- Implemented use of QRUNNER_SLEEP_TIME for bin/qrunner
--runner=All. (lp#1818205)
- Leading/trailing spaces in provided email addresses for login
to private archives and the user options page are now
ignored. (lp#1818872)
- Fixed the spelling of the --no-restart option for mailmanctl.
- Fixed an issue where certain combinations of charset and
invalid characters in a list's description could produce
a List-ID header without angle brackets. (lp#1831321)
- With the Postfix MTA and virtual domains, mappings for the
site list -bounces and -request addresses in each virtual
domain are now added to data/virtual-mailman (-owner was done
in 2.1.24). (lp#1831777)
- The paths.py module now extends sys.path with the result of
site.getsitepackages() if available. (lp#1838866)
- A bug causing a UnicodeDecodeError in preparing to send the
confirmation request message to a new subscriber has been
fixed. (lp#1851442)
- The SimpleMatch heuristic bounce recognizer has been improved
to not return most invalid email addresses. (lp#1859011)
Patchnames
openSUSE-2020-1707
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Recommended update for mailman",
"title": "Title of the patch"
},
{
"category": "description",
"text": "\nThis update for mailman to version 2.1.34 fixes the following issues:\n\n - The fix for lp#1859104 can result in ValueError being thrown\n on attempts to subscribe to a list. This is fixed and\n extended to apply REFUSE_SECOND_PENDING to unsubscription as\n well. (lp#1878458)\n - DMARC mitigation no longer misses if the domain name returned\n by DNS contains upper case. (lp#1881035)\n - A new WARN_MEMBER_OF_SUBSCRIBE setting can be set to No to\n prevent mailbombing of a member of a list with private\n rosters by repeated subscribe attempts. (lp#1883017)\n - Very long filenames for scrubbed attachments are now\n truncated. (lp#1884456)\n - A content injection vulnerability via the private login page\n has been fixed. CVE-2020-15011 (lp#1877379, bsc#1173369)\n - A content injection vulnerability via the options login page\n has been discovered and reported by Vishal Singh.\n CVE-2020-12108 (lp#1873722, bsc#1171363)\n - Bounce recognition for a non-compliant Yahoo format is added.\n - Archiving workaround for non-ascii in string.lowercase in\n some Python packages is added.\n - Thanks to Jim Popovitch, there is now\n a dmarc_moderation_addresses list setting that can be used to\n apply dmarc_moderation_action to mail From: addresses listed\n or matching listed regexps. This can be used to modify mail\n to addresses that don\u0027t accept external mail From:\n themselves.\n - There is a new MAX_LISTNAME_LENGTH setting. The fix for\n lp#1780874 obtains a list of the names of all the all the\n lists in the installation in order to determine the maximum\n length of a legitimate list name. It does this on every web\n access and on sites with a very large number of lists, this\n can have performance implications. See the description in\n Defaults.py for more information.\n - Thanks to Ralf Jung there is now the ability to add text\n based captchas (aka textchas) to the listinfo subscribe form.\n See the documentation for the new CAPTCHA setting in\n Defaults.py for how to enable this. Also note that if you\n have custom listinfo.html templates, you will have to add\n a \u003cmm-captcha-ui\u003e tag to those templates to make this work.\n This feature can be used in combination with or instead of\n the Google reCAPTCHA feature added in 2.1.26.\n - Thanks to Ralf Hildebrandt the web admin Membership\n Management section now has a feature to sync the list\u0027s\n membership with a list of email addresses as with the\n bin/sync_members command.\n - There is a new drop_cc list attribute set from\n DEFAULT_DROP_CC. This controls the dropping of addresses from\n the Cc: header in delivered messages by the duplicate\n avoidance process. (lp#1845751)\n - There is a new REFUSE_SECOND_PENDING mm_cfg.py setting that\n will cause a second request to subscribe to a list when there\n is already a pending confirmation for that user. This can be\n set to Yes to prevent mailbombing of a third party by\n repeatedly posting the subscribe form. (lp#1859104)\n - Fixed the confirm CGI to catch a rare TypeError on\n simultaneous confirmations of the same token. (lp#1785854)\n - Scrubbed application/octet-stream MIME parts will now be\n given a .bin extension instead of .obj. CVE-2020-12137\n (lp#1886117)\n - Added bounce recognition for a non-compliant opensmtpd DSN\n with Action: error. (lp#1805137)\n - Corrected and augmented some security log messages.\n (lp#1810098)\n - Implemented use of QRUNNER_SLEEP_TIME for bin/qrunner\n --runner=All. (lp#1818205)\n - Leading/trailing spaces in provided email addresses for login\n to private archives and the user options page are now\n ignored. (lp#1818872)\n - Fixed the spelling of the --no-restart option for mailmanctl.\n - Fixed an issue where certain combinations of charset and\n invalid characters in a list\u0027s description could produce\n a List-ID header without angle brackets. (lp#1831321)\n - With the Postfix MTA and virtual domains, mappings for the\n site list -bounces and -request addresses in each virtual\n domain are now added to data/virtual-mailman (-owner was done\n in 2.1.24). (lp#1831777)\n - The paths.py module now extends sys.path with the result of\n site.getsitepackages() if available. (lp#1838866)\n - A bug causing a UnicodeDecodeError in preparing to send the\n confirmation request message to a new subscriber has been\n fixed. (lp#1851442)\n - The SimpleMatch heuristic bounce recognizer has been improved\n to not return most invalid email addresses. (lp#1859011)\n ",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2020-1707",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_1707-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2020:1707-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6LXSIVYX5GOPLZQNIV3JT72GQ7L536DK/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2020:1707-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6LXSIVYX5GOPLZQNIV3JT72GQ7L536DK/"
},
{
"category": "self",
"summary": "SUSE Bug 1171363",
"url": "https://bugzilla.suse.com/1171363"
},
{
"category": "self",
"summary": "SUSE Bug 1173369",
"url": "https://bugzilla.suse.com/1173369"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-12108 page",
"url": "https://www.suse.com/security/cve/CVE-2020-12108/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-12137 page",
"url": "https://www.suse.com/security/cve/CVE-2020-12137/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-15011 page",
"url": "https://www.suse.com/security/cve/CVE-2020-15011/"
}
],
"title": "Recommended update for mailman",
"tracking": {
"current_release_date": "2020-10-22T12:27:35Z",
"generator": {
"date": "2020-10-22T12:27:35Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2020:1707-1",
"initial_release_date": "2020-10-22T12:27:35Z",
"revision_history": [
{
"date": "2020-10-22T12:27:35Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.34-lp152.7.3.1.x86_64",
"product": {
"name": "mailman-2.1.34-lp152.7.3.1.x86_64",
"product_id": "mailman-2.1.34-lp152.7.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.2",
"product": {
"name": "openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.34-lp152.7.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:mailman-2.1.34-lp152.7.3.1.x86_64"
},
"product_reference": "mailman-2.1.34-lp152.7.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-12108",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-12108"
}
],
"notes": [
{
"category": "general",
"text": "/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:mailman-2.1.34-lp152.7.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-12108",
"url": "https://www.suse.com/security/cve/CVE-2020-12108"
},
{
"category": "external",
"summary": "SUSE Bug 1171363 for CVE-2020-12108",
"url": "https://bugzilla.suse.com/1171363"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:mailman-2.1.34-lp152.7.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:mailman-2.1.34-lp152.7.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-22T12:27:35Z",
"details": "moderate"
}
],
"title": "CVE-2020-12108"
},
{
"cve": "CVE-2020-12137",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-12137"
}
],
"notes": [
{
"category": "general",
"text": "GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:mailman-2.1.34-lp152.7.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-12137",
"url": "https://www.suse.com/security/cve/CVE-2020-12137"
},
{
"category": "external",
"summary": "SUSE Bug 1170558 for CVE-2020-12137",
"url": "https://bugzilla.suse.com/1170558"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:mailman-2.1.34-lp152.7.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:mailman-2.1.34-lp152.7.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-22T12:27:35Z",
"details": "moderate"
}
],
"title": "CVE-2020-12137"
},
{
"cve": "CVE-2020-15011",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-15011"
}
],
"notes": [
{
"category": "general",
"text": "GNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login page.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:mailman-2.1.34-lp152.7.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-15011",
"url": "https://www.suse.com/security/cve/CVE-2020-15011"
},
{
"category": "external",
"summary": "SUSE Bug 1173369 for CVE-2020-15011",
"url": "https://bugzilla.suse.com/1173369"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:mailman-2.1.34-lp152.7.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:mailman-2.1.34-lp152.7.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-22T12:27:35Z",
"details": "moderate"
}
],
"title": "CVE-2020-15011"
}
]
}
opensuse-su-2020:0661-1
Vulnerability from csaf_opensuse
Published
2020-05-15 14:15
Modified
2020-05-15 14:15
Summary
Security update for mailman
Notes
Title of the patch
Security update for mailman
Description of the patch
This update for mailman fixes the following issues:
Security issue fixed:
- CVE-2020-12108: Fixed a content injection bug (boo#1171363).
Non-security issue fixed:
- Don't default to invalid hosts for DEFAULT_EMAIL_HOST (boo#682920)
Patchnames
openSUSE-2020-661
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for mailman",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for mailman fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2020-12108: Fixed a content injection bug (boo#1171363).\n\nNon-security issue fixed:\n\n- Don\u0027t default to invalid hosts for DEFAULT_EMAIL_HOST (boo#682920)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2020-661",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_0661-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2020:0661-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HHEAX4KHY3C7HM7HLD44E7CTFLM6CC4C/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2020:0661-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HHEAX4KHY3C7HM7HLD44E7CTFLM6CC4C/"
},
{
"category": "self",
"summary": "SUSE Bug 1171363",
"url": "https://bugzilla.suse.com/1171363"
},
{
"category": "self",
"summary": "SUSE Bug 682920",
"url": "https://bugzilla.suse.com/682920"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-12108 page",
"url": "https://www.suse.com/security/cve/CVE-2020-12108/"
}
],
"title": "Security update for mailman",
"tracking": {
"current_release_date": "2020-05-15T14:15:39Z",
"generator": {
"date": "2020-05-15T14:15:39Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2020:0661-1",
"initial_release_date": "2020-05-15T14:15:39Z",
"revision_history": [
{
"date": "2020-05-15T14:15:39Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.29-lp151.3.11.1.x86_64",
"product": {
"name": "mailman-2.1.29-lp151.3.11.1.x86_64",
"product_id": "mailman-2.1.29-lp151.3.11.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.1",
"product": {
"name": "openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.29-lp151.3.11.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:mailman-2.1.29-lp151.3.11.1.x86_64"
},
"product_reference": "mailman-2.1.29-lp151.3.11.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-12108",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-12108"
}
],
"notes": [
{
"category": "general",
"text": "/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:mailman-2.1.29-lp151.3.11.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-12108",
"url": "https://www.suse.com/security/cve/CVE-2020-12108"
},
{
"category": "external",
"summary": "SUSE Bug 1171363 for CVE-2020-12108",
"url": "https://bugzilla.suse.com/1171363"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:mailman-2.1.29-lp151.3.11.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.1:mailman-2.1.29-lp151.3.11.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-05-15T14:15:39Z",
"details": "moderate"
}
],
"title": "CVE-2020-12108"
}
]
}
opensuse-su-2020:0764-1
Vulnerability from csaf_opensuse
Published
2020-06-03 08:44
Modified
2020-06-03 08:44
Summary
Security update for mailman
Notes
Title of the patch
Security update for mailman
Description of the patch
This update for mailman fixes the following issues:
Security issue fixed:
- CVE-2020-12108: Fixed a content injection bug (boo#1171363).
Non-security issue fixed:
- Don't default to invalid hosts for DEFAULT_EMAIL_HOST (boo#682920)
This update was imported from the openSUSE:Leap:15.1:Update update project.
Patchnames
openSUSE-2020-764
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for mailman",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for mailman fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2020-12108: Fixed a content injection bug (boo#1171363).\n\nNon-security issue fixed:\n\n- Don\u0027t default to invalid hosts for DEFAULT_EMAIL_HOST (boo#682920)\n\nThis update was imported from the openSUSE:Leap:15.1:Update update project.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2020-764",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_0764-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2020:0764-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MS2IQWVHIK4IIQJLBCC3TLU5BVTZDYJN/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2020:0764-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MS2IQWVHIK4IIQJLBCC3TLU5BVTZDYJN/"
},
{
"category": "self",
"summary": "SUSE Bug 1171363",
"url": "https://bugzilla.suse.com/1171363"
},
{
"category": "self",
"summary": "SUSE Bug 682920",
"url": "https://bugzilla.suse.com/682920"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-12108 page",
"url": "https://www.suse.com/security/cve/CVE-2020-12108/"
}
],
"title": "Security update for mailman",
"tracking": {
"current_release_date": "2020-06-03T08:44:29Z",
"generator": {
"date": "2020-06-03T08:44:29Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2020:0764-1",
"initial_release_date": "2020-06-03T08:44:29Z",
"revision_history": [
{
"date": "2020-06-03T08:44:29Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.29-bp151.5.9.1.aarch64",
"product": {
"name": "mailman-2.1.29-bp151.5.9.1.aarch64",
"product_id": "mailman-2.1.29-bp151.5.9.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.29-bp151.5.9.1.ppc64le",
"product": {
"name": "mailman-2.1.29-bp151.5.9.1.ppc64le",
"product_id": "mailman-2.1.29-bp151.5.9.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.29-bp151.5.9.1.s390x",
"product": {
"name": "mailman-2.1.29-bp151.5.9.1.s390x",
"product_id": "mailman-2.1.29-bp151.5.9.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.29-bp151.5.9.1.x86_64",
"product": {
"name": "mailman-2.1.29-bp151.5.9.1.x86_64",
"product_id": "mailman-2.1.29-bp151.5.9.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP1",
"product": {
"name": "SUSE Package Hub 15 SP1",
"product_id": "SUSE Package Hub 15 SP1"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.29-bp151.5.9.1.aarch64 as component of SUSE Package Hub 15 SP1",
"product_id": "SUSE Package Hub 15 SP1:mailman-2.1.29-bp151.5.9.1.aarch64"
},
"product_reference": "mailman-2.1.29-bp151.5.9.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.29-bp151.5.9.1.ppc64le as component of SUSE Package Hub 15 SP1",
"product_id": "SUSE Package Hub 15 SP1:mailman-2.1.29-bp151.5.9.1.ppc64le"
},
"product_reference": "mailman-2.1.29-bp151.5.9.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.29-bp151.5.9.1.s390x as component of SUSE Package Hub 15 SP1",
"product_id": "SUSE Package Hub 15 SP1:mailman-2.1.29-bp151.5.9.1.s390x"
},
"product_reference": "mailman-2.1.29-bp151.5.9.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.29-bp151.5.9.1.x86_64 as component of SUSE Package Hub 15 SP1",
"product_id": "SUSE Package Hub 15 SP1:mailman-2.1.29-bp151.5.9.1.x86_64"
},
"product_reference": "mailman-2.1.29-bp151.5.9.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-12108",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-12108"
}
],
"notes": [
{
"category": "general",
"text": "/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP1:mailman-2.1.29-bp151.5.9.1.aarch64",
"SUSE Package Hub 15 SP1:mailman-2.1.29-bp151.5.9.1.ppc64le",
"SUSE Package Hub 15 SP1:mailman-2.1.29-bp151.5.9.1.s390x",
"SUSE Package Hub 15 SP1:mailman-2.1.29-bp151.5.9.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-12108",
"url": "https://www.suse.com/security/cve/CVE-2020-12108"
},
{
"category": "external",
"summary": "SUSE Bug 1171363 for CVE-2020-12108",
"url": "https://bugzilla.suse.com/1171363"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP1:mailman-2.1.29-bp151.5.9.1.aarch64",
"SUSE Package Hub 15 SP1:mailman-2.1.29-bp151.5.9.1.ppc64le",
"SUSE Package Hub 15 SP1:mailman-2.1.29-bp151.5.9.1.s390x",
"SUSE Package Hub 15 SP1:mailman-2.1.29-bp151.5.9.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP1:mailman-2.1.29-bp151.5.9.1.aarch64",
"SUSE Package Hub 15 SP1:mailman-2.1.29-bp151.5.9.1.ppc64le",
"SUSE Package Hub 15 SP1:mailman-2.1.29-bp151.5.9.1.s390x",
"SUSE Package Hub 15 SP1:mailman-2.1.29-bp151.5.9.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-06-03T08:44:29Z",
"details": "moderate"
}
],
"title": "CVE-2020-12108"
}
]
}
opensuse-su-2020:1752-1
Vulnerability from csaf_opensuse
Published
2020-10-27 09:21
Modified
2020-10-27 09:21
Summary
Recommended update for mailman
Notes
Title of the patch
Recommended update for mailman
Description of the patch
This update for mailman to version 2.1.34 fixes the following issues:
- The fix for lp#1859104 can result in ValueError being thrown
on attempts to subscribe to a list. This is fixed and
extended to apply REFUSE_SECOND_PENDING to unsubscription as
well. (lp#1878458)
- DMARC mitigation no longer misses if the domain name returned
by DNS contains upper case. (lp#1881035)
- A new WARN_MEMBER_OF_SUBSCRIBE setting can be set to No to
prevent mailbombing of a member of a list with private
rosters by repeated subscribe attempts. (lp#1883017)
- Very long filenames for scrubbed attachments are now
truncated. (lp#1884456)
- A content injection vulnerability via the private login page
has been fixed. CVE-2020-15011 (lp#1877379, bsc#1173369)
- A content injection vulnerability via the options login page
has been discovered and reported by Vishal Singh.
CVE-2020-12108 (lp#1873722, bsc#1171363)
- Bounce recognition for a non-compliant Yahoo format is added.
- Archiving workaround for non-ascii in string.lowercase in
some Python packages is added.
- Thanks to Jim Popovitch, there is now
a dmarc_moderation_addresses list setting that can be used to
apply dmarc_moderation_action to mail From: addresses listed
or matching listed regexps. This can be used to modify mail
to addresses that don't accept external mail From:
themselves.
- There is a new MAX_LISTNAME_LENGTH setting. The fix for
lp#1780874 obtains a list of the names of all the all the
lists in the installation in order to determine the maximum
length of a legitimate list name. It does this on every web
access and on sites with a very large number of lists, this
can have performance implications. See the description in
Defaults.py for more information.
- Thanks to Ralf Jung there is now the ability to add text
based captchas (aka textchas) to the listinfo subscribe form.
See the documentation for the new CAPTCHA setting in
Defaults.py for how to enable this. Also note that if you
have custom listinfo.html templates, you will have to add
a <mm-captcha-ui> tag to those templates to make this work.
This feature can be used in combination with or instead of
the Google reCAPTCHA feature added in 2.1.26.
- Thanks to Ralf Hildebrandt the web admin Membership
Management section now has a feature to sync the list's
membership with a list of email addresses as with the
bin/sync_members command.
- There is a new drop_cc list attribute set from
DEFAULT_DROP_CC. This controls the dropping of addresses from
the Cc: header in delivered messages by the duplicate
avoidance process. (lp#1845751)
- There is a new REFUSE_SECOND_PENDING mm_cfg.py setting that
will cause a second request to subscribe to a list when there
is already a pending confirmation for that user. This can be
set to Yes to prevent mailbombing of a third party by
repeatedly posting the subscribe form. (lp#1859104)
- Fixed the confirm CGI to catch a rare TypeError on
simultaneous confirmations of the same token. (lp#1785854)
- Scrubbed application/octet-stream MIME parts will now be
given a .bin extension instead of .obj. CVE-2020-12137
(lp#1886117)
- Added bounce recognition for a non-compliant opensmtpd DSN
with Action: error. (lp#1805137)
- Corrected and augmented some security log messages.
(lp#1810098)
- Implemented use of QRUNNER_SLEEP_TIME for bin/qrunner
--runner=All. (lp#1818205)
- Leading/trailing spaces in provided email addresses for login
to private archives and the user options page are now
ignored. (lp#1818872)
- Fixed the spelling of the --no-restart option for mailmanctl.
- Fixed an issue where certain combinations of charset and
invalid characters in a list's description could produce
a List-ID header without angle brackets. (lp#1831321)
- With the Postfix MTA and virtual domains, mappings for the
site list -bounces and -request addresses in each virtual
domain are now added to data/virtual-mailman (-owner was done
in 2.1.24). (lp#1831777)
- The paths.py module now extends sys.path with the result of
site.getsitepackages() if available. (lp#1838866)
- A bug causing a UnicodeDecodeError in preparing to send the
confirmation request message to a new subscriber has been
fixed. (lp#1851442)
- The SimpleMatch heuristic bounce recognizer has been improved
to not return most invalid email addresses. (lp#1859011)
This update was imported from the openSUSE:Leap:15.2:Update update project.
Patchnames
openSUSE-2020-1752
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Recommended update for mailman",
"title": "Title of the patch"
},
{
"category": "description",
"text": "\nThis update for mailman to version 2.1.34 fixes the following issues:\n\n - The fix for lp#1859104 can result in ValueError being thrown\n on attempts to subscribe to a list. This is fixed and\n extended to apply REFUSE_SECOND_PENDING to unsubscription as\n well. (lp#1878458)\n - DMARC mitigation no longer misses if the domain name returned\n by DNS contains upper case. (lp#1881035)\n - A new WARN_MEMBER_OF_SUBSCRIBE setting can be set to No to\n prevent mailbombing of a member of a list with private\n rosters by repeated subscribe attempts. (lp#1883017)\n - Very long filenames for scrubbed attachments are now\n truncated. (lp#1884456)\n - A content injection vulnerability via the private login page\n has been fixed. CVE-2020-15011 (lp#1877379, bsc#1173369)\n - A content injection vulnerability via the options login page\n has been discovered and reported by Vishal Singh.\n CVE-2020-12108 (lp#1873722, bsc#1171363)\n - Bounce recognition for a non-compliant Yahoo format is added.\n - Archiving workaround for non-ascii in string.lowercase in\n some Python packages is added.\n - Thanks to Jim Popovitch, there is now\n a dmarc_moderation_addresses list setting that can be used to\n apply dmarc_moderation_action to mail From: addresses listed\n or matching listed regexps. This can be used to modify mail\n to addresses that don\u0027t accept external mail From:\n themselves.\n - There is a new MAX_LISTNAME_LENGTH setting. The fix for\n lp#1780874 obtains a list of the names of all the all the\n lists in the installation in order to determine the maximum\n length of a legitimate list name. It does this on every web\n access and on sites with a very large number of lists, this\n can have performance implications. See the description in\n Defaults.py for more information.\n - Thanks to Ralf Jung there is now the ability to add text\n based captchas (aka textchas) to the listinfo subscribe form.\n See the documentation for the new CAPTCHA setting in\n Defaults.py for how to enable this. Also note that if you\n have custom listinfo.html templates, you will have to add\n a \u003cmm-captcha-ui\u003e tag to those templates to make this work.\n This feature can be used in combination with or instead of\n the Google reCAPTCHA feature added in 2.1.26.\n - Thanks to Ralf Hildebrandt the web admin Membership\n Management section now has a feature to sync the list\u0027s\n membership with a list of email addresses as with the\n bin/sync_members command.\n - There is a new drop_cc list attribute set from\n DEFAULT_DROP_CC. This controls the dropping of addresses from\n the Cc: header in delivered messages by the duplicate\n avoidance process. (lp#1845751)\n - There is a new REFUSE_SECOND_PENDING mm_cfg.py setting that\n will cause a second request to subscribe to a list when there\n is already a pending confirmation for that user. This can be\n set to Yes to prevent mailbombing of a third party by\n repeatedly posting the subscribe form. (lp#1859104)\n - Fixed the confirm CGI to catch a rare TypeError on\n simultaneous confirmations of the same token. (lp#1785854)\n - Scrubbed application/octet-stream MIME parts will now be\n given a .bin extension instead of .obj. CVE-2020-12137\n (lp#1886117)\n - Added bounce recognition for a non-compliant opensmtpd DSN\n with Action: error. (lp#1805137)\n - Corrected and augmented some security log messages.\n (lp#1810098)\n - Implemented use of QRUNNER_SLEEP_TIME for bin/qrunner\n --runner=All. (lp#1818205)\n - Leading/trailing spaces in provided email addresses for login\n to private archives and the user options page are now\n ignored. (lp#1818872)\n - Fixed the spelling of the --no-restart option for mailmanctl.\n - Fixed an issue where certain combinations of charset and\n invalid characters in a list\u0027s description could produce\n a List-ID header without angle brackets. (lp#1831321)\n - With the Postfix MTA and virtual domains, mappings for the\n site list -bounces and -request addresses in each virtual\n domain are now added to data/virtual-mailman (-owner was done\n in 2.1.24). (lp#1831777)\n - The paths.py module now extends sys.path with the result of\n site.getsitepackages() if available. (lp#1838866)\n - A bug causing a UnicodeDecodeError in preparing to send the\n confirmation request message to a new subscriber has been\n fixed. (lp#1851442)\n - The SimpleMatch heuristic bounce recognizer has been improved\n to not return most invalid email addresses. (lp#1859011)\n \nThis update was imported from the openSUSE:Leap:15.2:Update update project.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2020-1752",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_1752-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2020:1752-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Z4ZASCRNOELSGFUS6XMOBBM2KR7G3COA/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2020:1752-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Z4ZASCRNOELSGFUS6XMOBBM2KR7G3COA/"
},
{
"category": "self",
"summary": "SUSE Bug 1171363",
"url": "https://bugzilla.suse.com/1171363"
},
{
"category": "self",
"summary": "SUSE Bug 1173369",
"url": "https://bugzilla.suse.com/1173369"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-12108 page",
"url": "https://www.suse.com/security/cve/CVE-2020-12108/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-12137 page",
"url": "https://www.suse.com/security/cve/CVE-2020-12137/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-15011 page",
"url": "https://www.suse.com/security/cve/CVE-2020-15011/"
}
],
"title": "Recommended update for mailman",
"tracking": {
"current_release_date": "2020-10-27T09:21:55Z",
"generator": {
"date": "2020-10-27T09:21:55Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2020:1752-1",
"initial_release_date": "2020-10-27T09:21:55Z",
"revision_history": [
{
"date": "2020-10-27T09:21:55Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.34-bp152.7.3.1.aarch64",
"product": {
"name": "mailman-2.1.34-bp152.7.3.1.aarch64",
"product_id": "mailman-2.1.34-bp152.7.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.34-bp152.7.3.1.ppc64le",
"product": {
"name": "mailman-2.1.34-bp152.7.3.1.ppc64le",
"product_id": "mailman-2.1.34-bp152.7.3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.34-bp152.7.3.1.s390x",
"product": {
"name": "mailman-2.1.34-bp152.7.3.1.s390x",
"product_id": "mailman-2.1.34-bp152.7.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.34-bp152.7.3.1.x86_64",
"product": {
"name": "mailman-2.1.34-bp152.7.3.1.x86_64",
"product_id": "mailman-2.1.34-bp152.7.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP2",
"product": {
"name": "SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.34-bp152.7.3.1.aarch64 as component of SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.aarch64"
},
"product_reference": "mailman-2.1.34-bp152.7.3.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.34-bp152.7.3.1.ppc64le as component of SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.ppc64le"
},
"product_reference": "mailman-2.1.34-bp152.7.3.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.34-bp152.7.3.1.s390x as component of SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.s390x"
},
"product_reference": "mailman-2.1.34-bp152.7.3.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.34-bp152.7.3.1.x86_64 as component of SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.x86_64"
},
"product_reference": "mailman-2.1.34-bp152.7.3.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-12108",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-12108"
}
],
"notes": [
{
"category": "general",
"text": "/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.aarch64",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.ppc64le",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.s390x",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-12108",
"url": "https://www.suse.com/security/cve/CVE-2020-12108"
},
{
"category": "external",
"summary": "SUSE Bug 1171363 for CVE-2020-12108",
"url": "https://bugzilla.suse.com/1171363"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.aarch64",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.ppc64le",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.s390x",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.aarch64",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.ppc64le",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.s390x",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-27T09:21:55Z",
"details": "moderate"
}
],
"title": "CVE-2020-12108"
},
{
"cve": "CVE-2020-12137",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-12137"
}
],
"notes": [
{
"category": "general",
"text": "GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.aarch64",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.ppc64le",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.s390x",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-12137",
"url": "https://www.suse.com/security/cve/CVE-2020-12137"
},
{
"category": "external",
"summary": "SUSE Bug 1170558 for CVE-2020-12137",
"url": "https://bugzilla.suse.com/1170558"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.aarch64",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.ppc64le",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.s390x",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.aarch64",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.ppc64le",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.s390x",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-27T09:21:55Z",
"details": "moderate"
}
],
"title": "CVE-2020-12137"
},
{
"cve": "CVE-2020-15011",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-15011"
}
],
"notes": [
{
"category": "general",
"text": "GNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login page.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.aarch64",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.ppc64le",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.s390x",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-15011",
"url": "https://www.suse.com/security/cve/CVE-2020-15011"
},
{
"category": "external",
"summary": "SUSE Bug 1173369 for CVE-2020-15011",
"url": "https://bugzilla.suse.com/1173369"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.aarch64",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.ppc64le",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.s390x",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.aarch64",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.ppc64le",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.s390x",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-27T09:21:55Z",
"details": "moderate"
}
],
"title": "CVE-2020-15011"
}
]
}
suse-su-2020:1301-1
Vulnerability from csaf_suse
Published
2020-05-18 05:47
Modified
2020-05-18 05:47
Summary
Security update for mailman
Notes
Title of the patch
Security update for mailman
Description of the patch
This update for mailman fixes the following issues:
Security issue fixed:
- CVE-2020-12108: Fixed a content injection bug (bsc#1171363).
- CVE-2020-12137: Fixed a XSS vulnerability caused by MIME type confusion (bsc#1170558).
Non-security issue fixed:
- Fixed rights and ownership on /var/lib/mailman/archives (bsc#1167068).
- Don't default to invalid hosts for DEFAULT_EMAIL_HOST (bsc#682920).
Patchnames
HPE-Helion-OpenStack-8-2020-1301,SUSE-2020-1301,SUSE-OpenStack-Cloud-7-2020-1301,SUSE-OpenStack-Cloud-8-2020-1301,SUSE-OpenStack-Cloud-Crowbar-8-2020-1301,SUSE-SLE-SAP-12-SP1-2020-1301,SUSE-SLE-SAP-12-SP2-2020-1301,SUSE-SLE-SAP-12-SP3-2020-1301,SUSE-SLE-SERVER-12-SP1-2020-1301,SUSE-SLE-SERVER-12-SP2-2020-1301,SUSE-SLE-SERVER-12-SP2-BCL-2020-1301,SUSE-SLE-SERVER-12-SP3-2020-1301,SUSE-SLE-SERVER-12-SP3-BCL-2020-1301,SUSE-SLE-SERVER-12-SP4-2020-1301,SUSE-SLE-SERVER-12-SP5-2020-1301,SUSE-Storage-5-2020-1301
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for mailman",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for mailman fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2020-12108: Fixed a content injection bug (bsc#1171363).\n- CVE-2020-12137: Fixed a XSS vulnerability caused by MIME type confusion (bsc#1170558).\n\nNon-security issue fixed:\n\n- Fixed rights and ownership on /var/lib/mailman/archives (bsc#1167068).\n- Don\u0027t default to invalid hosts for DEFAULT_EMAIL_HOST (bsc#682920).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "HPE-Helion-OpenStack-8-2020-1301,SUSE-2020-1301,SUSE-OpenStack-Cloud-7-2020-1301,SUSE-OpenStack-Cloud-8-2020-1301,SUSE-OpenStack-Cloud-Crowbar-8-2020-1301,SUSE-SLE-SAP-12-SP1-2020-1301,SUSE-SLE-SAP-12-SP2-2020-1301,SUSE-SLE-SAP-12-SP3-2020-1301,SUSE-SLE-SERVER-12-SP1-2020-1301,SUSE-SLE-SERVER-12-SP2-2020-1301,SUSE-SLE-SERVER-12-SP2-BCL-2020-1301,SUSE-SLE-SERVER-12-SP3-2020-1301,SUSE-SLE-SERVER-12-SP3-BCL-2020-1301,SUSE-SLE-SERVER-12-SP4-2020-1301,SUSE-SLE-SERVER-12-SP5-2020-1301,SUSE-Storage-5-2020-1301",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2020_1301-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2020:1301-1",
"url": "https://www.suse.com/support/update/announcement/2020/suse-su-20201301-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2020:1301-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2020-May/006830.html"
},
{
"category": "self",
"summary": "SUSE Bug 1167068",
"url": "https://bugzilla.suse.com/1167068"
},
{
"category": "self",
"summary": "SUSE Bug 1170558",
"url": "https://bugzilla.suse.com/1170558"
},
{
"category": "self",
"summary": "SUSE Bug 1171363",
"url": "https://bugzilla.suse.com/1171363"
},
{
"category": "self",
"summary": "SUSE Bug 682920",
"url": "https://bugzilla.suse.com/682920"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-12108 page",
"url": "https://www.suse.com/security/cve/CVE-2020-12108/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-12137 page",
"url": "https://www.suse.com/security/cve/CVE-2020-12137/"
}
],
"title": "Security update for mailman",
"tracking": {
"current_release_date": "2020-05-18T05:47:04Z",
"generator": {
"date": "2020-05-18T05:47:04Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2020:1301-1",
"initial_release_date": "2020-05-18T05:47:04Z",
"revision_history": [
{
"date": "2020-05-18T05:47:04Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.17-3.20.1.aarch64",
"product": {
"name": "mailman-2.1.17-3.20.1.aarch64",
"product_id": "mailman-2.1.17-3.20.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.17-3.20.1.i586",
"product": {
"name": "mailman-2.1.17-3.20.1.i586",
"product_id": "mailman-2.1.17-3.20.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.17-3.20.1.ppc64le",
"product": {
"name": "mailman-2.1.17-3.20.1.ppc64le",
"product_id": "mailman-2.1.17-3.20.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.17-3.20.1.s390",
"product": {
"name": "mailman-2.1.17-3.20.1.s390",
"product_id": "mailman-2.1.17-3.20.1.s390"
}
}
],
"category": "architecture",
"name": "s390"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.17-3.20.1.s390x",
"product": {
"name": "mailman-2.1.17-3.20.1.s390x",
"product_id": "mailman-2.1.17-3.20.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.17-3.20.1.x86_64",
"product": {
"name": "mailman-2.1.17-3.20.1.x86_64",
"product_id": "mailman-2.1.17-3.20.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "HPE Helion OpenStack 8",
"product": {
"name": "HPE Helion OpenStack 8",
"product_id": "HPE Helion OpenStack 8",
"product_identification_helper": {
"cpe": "cpe:/o:suse:hpe-helion-openstack:8"
}
}
},
{
"category": "product_name",
"name": "SUSE OpenStack Cloud 7",
"product": {
"name": "SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-openstack-cloud:7"
}
}
},
{
"category": "product_name",
"name": "SUSE OpenStack Cloud 8",
"product": {
"name": "SUSE OpenStack Cloud 8",
"product_id": "SUSE OpenStack Cloud 8",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-openstack-cloud:8"
}
}
},
{
"category": "product_name",
"name": "SUSE OpenStack Cloud Crowbar 8",
"product": {
"name": "SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-openstack-cloud-crowbar:8"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 12 SP1",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 12 SP1",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:12:sp1"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 12 SP2",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 12 SP2",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP2",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:12:sp2"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 12 SP3",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 12 SP3",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:12:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 12 SP1-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 12 SP1-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP1-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:12:sp1"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 12 SP2-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 12 SP2-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP2-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:12:sp2"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 12 SP2-BCL",
"product": {
"name": "SUSE Linux Enterprise Server 12 SP2-BCL",
"product_id": "SUSE Linux Enterprise Server 12 SP2-BCL",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-bcl:12:sp2"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 12 SP3-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 12 SP3-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP3-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:12:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 12 SP3-BCL",
"product": {
"name": "SUSE Linux Enterprise Server 12 SP3-BCL",
"product_id": "SUSE Linux Enterprise Server 12 SP3-BCL",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-bcl:12:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 12 SP4",
"product": {
"name": "SUSE Linux Enterprise Server 12 SP4",
"product_id": "SUSE Linux Enterprise Server 12 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:12:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 12 SP4",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 12 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:12:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 12 SP5",
"product": {
"name": "SUSE Linux Enterprise Server 12 SP5",
"product_id": "SUSE Linux Enterprise Server 12 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:12:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:12:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Enterprise Storage 5",
"product": {
"name": "SUSE Enterprise Storage 5",
"product_id": "SUSE Enterprise Storage 5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:ses:5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of HPE Helion OpenStack 8",
"product_id": "HPE Helion OpenStack 8:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "HPE Helion OpenStack 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.s390x as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:mailman-2.1.17-3.20.1.s390x"
},
"product_reference": "mailman-2.1.17-3.20.1.s390x",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE OpenStack Cloud 8",
"product_id": "SUSE OpenStack Cloud 8:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12 SP1",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP1:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 12 SP2",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP2:mailman-2.1.17-3.20.1.ppc64le"
},
"product_reference": "mailman-2.1.17-3.20.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12 SP2",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP2:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 12 SP3",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP3:mailman-2.1.17-3.20.1.ppc64le"
},
"product_reference": "mailman-2.1.17-3.20.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12 SP3",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP3:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.ppc64le as component of SUSE Linux Enterprise Server 12 SP1-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.ppc64le"
},
"product_reference": "mailman-2.1.17-3.20.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP1-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.s390x as component of SUSE Linux Enterprise Server 12 SP1-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.s390x"
},
"product_reference": "mailman-2.1.17-3.20.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP1-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE Linux Enterprise Server 12 SP1-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP1-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.ppc64le as component of SUSE Linux Enterprise Server 12 SP2-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.ppc64le"
},
"product_reference": "mailman-2.1.17-3.20.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP2-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.s390x as component of SUSE Linux Enterprise Server 12 SP2-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.s390x"
},
"product_reference": "mailman-2.1.17-3.20.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP2-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE Linux Enterprise Server 12 SP2-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP2-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE Linux Enterprise Server 12 SP2-BCL",
"product_id": "SUSE Linux Enterprise Server 12 SP2-BCL:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP2-BCL"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.ppc64le as component of SUSE Linux Enterprise Server 12 SP3-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.ppc64le"
},
"product_reference": "mailman-2.1.17-3.20.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.s390x as component of SUSE Linux Enterprise Server 12 SP3-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.s390x"
},
"product_reference": "mailman-2.1.17-3.20.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE Linux Enterprise Server 12 SP3-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE Linux Enterprise Server 12 SP3-BCL",
"product_id": "SUSE Linux Enterprise Server 12 SP3-BCL:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP3-BCL"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.ppc64le as component of SUSE Linux Enterprise Server 12 SP4",
"product_id": "SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.ppc64le"
},
"product_reference": "mailman-2.1.17-3.20.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.s390x as component of SUSE Linux Enterprise Server 12 SP4",
"product_id": "SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.s390x"
},
"product_reference": "mailman-2.1.17-3.20.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE Linux Enterprise Server 12 SP4",
"product_id": "SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 12 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.ppc64le"
},
"product_reference": "mailman-2.1.17-3.20.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.s390x as component of SUSE Linux Enterprise Server for SAP Applications 12 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.s390x"
},
"product_reference": "mailman-2.1.17-3.20.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.aarch64 as component of SUSE Linux Enterprise Server 12 SP5",
"product_id": "SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.aarch64"
},
"product_reference": "mailman-2.1.17-3.20.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.ppc64le as component of SUSE Linux Enterprise Server 12 SP5",
"product_id": "SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.ppc64le"
},
"product_reference": "mailman-2.1.17-3.20.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.s390x as component of SUSE Linux Enterprise Server 12 SP5",
"product_id": "SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.s390x"
},
"product_reference": "mailman-2.1.17-3.20.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE Linux Enterprise Server 12 SP5",
"product_id": "SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.aarch64 as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.aarch64"
},
"product_reference": "mailman-2.1.17-3.20.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.ppc64le"
},
"product_reference": "mailman-2.1.17-3.20.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.s390x as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.s390x"
},
"product_reference": "mailman-2.1.17-3.20.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE Enterprise Storage 5",
"product_id": "SUSE Enterprise Storage 5:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE Enterprise Storage 5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-12108",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-12108"
}
],
"notes": [
{
"category": "general",
"text": "/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"HPE Helion OpenStack 8:mailman-2.1.17-3.20.1.x86_64",
"SUSE Enterprise Storage 5:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP2-BCL:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP3-BCL:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.aarch64",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP1:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP2:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP2:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP3:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP3:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.aarch64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud 7:mailman-2.1.17-3.20.1.s390x",
"SUSE OpenStack Cloud 7:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud 8:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:mailman-2.1.17-3.20.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-12108",
"url": "https://www.suse.com/security/cve/CVE-2020-12108"
},
{
"category": "external",
"summary": "SUSE Bug 1171363 for CVE-2020-12108",
"url": "https://bugzilla.suse.com/1171363"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"HPE Helion OpenStack 8:mailman-2.1.17-3.20.1.x86_64",
"SUSE Enterprise Storage 5:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP2-BCL:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP3-BCL:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.aarch64",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP1:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP2:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP2:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP3:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP3:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.aarch64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud 7:mailman-2.1.17-3.20.1.s390x",
"SUSE OpenStack Cloud 7:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud 8:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:mailman-2.1.17-3.20.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"HPE Helion OpenStack 8:mailman-2.1.17-3.20.1.x86_64",
"SUSE Enterprise Storage 5:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP2-BCL:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP3-BCL:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.aarch64",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP1:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP2:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP2:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP3:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP3:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.aarch64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud 7:mailman-2.1.17-3.20.1.s390x",
"SUSE OpenStack Cloud 7:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud 8:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:mailman-2.1.17-3.20.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-05-18T05:47:04Z",
"details": "moderate"
}
],
"title": "CVE-2020-12108"
},
{
"cve": "CVE-2020-12137",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-12137"
}
],
"notes": [
{
"category": "general",
"text": "GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"HPE Helion OpenStack 8:mailman-2.1.17-3.20.1.x86_64",
"SUSE Enterprise Storage 5:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP2-BCL:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP3-BCL:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.aarch64",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP1:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP2:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP2:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP3:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP3:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.aarch64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud 7:mailman-2.1.17-3.20.1.s390x",
"SUSE OpenStack Cloud 7:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud 8:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:mailman-2.1.17-3.20.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-12137",
"url": "https://www.suse.com/security/cve/CVE-2020-12137"
},
{
"category": "external",
"summary": "SUSE Bug 1170558 for CVE-2020-12137",
"url": "https://bugzilla.suse.com/1170558"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"HPE Helion OpenStack 8:mailman-2.1.17-3.20.1.x86_64",
"SUSE Enterprise Storage 5:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP2-BCL:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP3-BCL:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.aarch64",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP1:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP2:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP2:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP3:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP3:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.aarch64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud 7:mailman-2.1.17-3.20.1.s390x",
"SUSE OpenStack Cloud 7:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud 8:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:mailman-2.1.17-3.20.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"HPE Helion OpenStack 8:mailman-2.1.17-3.20.1.x86_64",
"SUSE Enterprise Storage 5:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP2-BCL:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP3-BCL:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.aarch64",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP1:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP2:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP2:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP3:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP3:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.aarch64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud 7:mailman-2.1.17-3.20.1.s390x",
"SUSE OpenStack Cloud 7:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud 8:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:mailman-2.1.17-3.20.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-05-18T05:47:04Z",
"details": "moderate"
}
],
"title": "CVE-2020-12137"
}
]
}
fkie_cve-2020-12108
Vulnerability from fkie_nvd
Published
2020-05-06 15:15
Modified
2024-11-21 04:59
Severity ?
Summary
/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00036.html | Mailing List, Third Party Advisory | |
| cve@mitre.org | http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00003.html | Mailing List, Third Party Advisory | |
| cve@mitre.org | http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00047.html | Mailing List, Third Party Advisory | |
| cve@mitre.org | http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00063.html | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://bugs.launchpad.net/mailman/+bug/1873722 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| cve@mitre.org | https://code.launchpad.net/mailman | Third Party Advisory | |
| cve@mitre.org | https://lists.debian.org/debian-lts-announce/2020/05/msg00007.html | Third Party Advisory | |
| cve@mitre.org | https://lists.debian.org/debian-lts-announce/2020/07/msg00007.html | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74EQIVFB34Q4UYAQLCUWG55YLKAUWCHD/ | ||
| cve@mitre.org | https://mail.python.org/pipermail/mailman-announce/ | Release Notes, Third Party Advisory | |
| cve@mitre.org | https://usn.ubuntu.com/4354-1/ | Third Party Advisory | |
| cve@mitre.org | https://www.debian.org/security/2021/dsa-4991 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00036.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00003.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00047.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00063.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugs.launchpad.net/mailman/+bug/1873722 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://code.launchpad.net/mailman | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2020/05/msg00007.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2020/07/msg00007.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74EQIVFB34Q4UYAQLCUWG55YLKAUWCHD/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://mail.python.org/pipermail/mailman-announce/ | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://usn.ubuntu.com/4354-1/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2021/dsa-4991 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| gnu | mailman | * | |
| debian | debian_linux | 9.0 | |
| debian | debian_linux | 10.0 | |
| fedoraproject | fedora | 31 | |
| opensuse | backports_sle | 15.0 | |
| opensuse | backports_sle | 15.0 | |
| opensuse | leap | 15.1 | |
| opensuse | leap | 15.2 | |
| canonical | ubuntu_linux | 16.04 | |
| canonical | ubuntu_linux | 18.04 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gnu:mailman:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D5D0E7D5-6A8B-4413-9363-43E5B26B7C38",
"versionEndExcluding": "2.1.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
"matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*",
"matchCriteriaId": "40513095-7E6E-46B3-B604-C926F1BA3568",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:opensuse:backports_sle:15.0:sp2:*:*:*:*:*:*",
"matchCriteriaId": "67E82302-4B77-44F3-97B1-24C18AC4A35D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*",
"matchCriteriaId": "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection."
},
{
"lang": "es",
"value": "El archivo /options/mailman en GNU Mailman versiones anteriores a 2.1.31, permite una Inyecci\u00f3n de Contenido Arbitrario."
}
],
"id": "CVE-2020-12108",
"lastModified": "2024-11-21T04:59:15.730",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-06T15:15:11.240",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00036.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00003.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00047.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00063.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://bugs.launchpad.net/mailman/+bug/1873722"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://code.launchpad.net/mailman"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00007.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00007.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74EQIVFB34Q4UYAQLCUWG55YLKAUWCHD/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://mail.python.org/pipermail/mailman-announce/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4354-1/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4991"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00036.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00003.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00047.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00063.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://bugs.launchpad.net/mailman/+bug/1873722"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://code.launchpad.net/mailman"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00007.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00007.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74EQIVFB34Q4UYAQLCUWG55YLKAUWCHD/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://mail.python.org/pipermail/mailman-announce/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4354-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4991"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
gsd-2020-12108
Vulnerability from gsd
Modified
2023-12-13 01:21
Details
/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2020-12108",
"description": "/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection.",
"id": "GSD-2020-12108",
"references": [
"https://www.suse.com/security/cve/CVE-2020-12108.html",
"https://www.debian.org/security/2021/dsa-4991",
"https://access.redhat.com/errata/RHSA-2021:1751",
"https://ubuntu.com/security/CVE-2020-12108",
"https://advisories.mageia.org/CVE-2020-12108.html",
"https://linux.oracle.com/cve/CVE-2020-12108.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2020-12108"
],
"details": "/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection.",
"id": "GSD-2020-12108",
"modified": "2023-12-13T01:21:49.762185Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12108",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://code.launchpad.net/mailman",
"refsource": "MISC",
"url": "https://code.launchpad.net/mailman"
},
{
"name": "https://mail.python.org/pipermail/mailman-announce/",
"refsource": "MISC",
"url": "https://mail.python.org/pipermail/mailman-announce/"
},
{
"name": "https://bugs.launchpad.net/mailman/+bug/1873722",
"refsource": "CONFIRM",
"url": "https://bugs.launchpad.net/mailman/+bug/1873722"
},
{
"name": "[debian-lts-announce] 20200507 [SECURITY] [DLA 2204-1] mailman security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00007.html"
},
{
"name": "openSUSE-SU-2020:0661",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00036.html"
},
{
"name": "USN-4354-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4354-1/"
},
{
"name": "openSUSE-SU-2020:0764",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00003.html"
},
{
"name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2276-1] mailman security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00007.html"
},
{
"name": "FEDORA-2020-62f2df3ca4",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74EQIVFB34Q4UYAQLCUWG55YLKAUWCHD/"
},
{
"name": "openSUSE-SU-2020:1707",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00047.html"
},
{
"name": "openSUSE-SU-2020:1752",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00063.html"
},
{
"name": "DSA-4991",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4991"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:gnu:mailman:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.1.31",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:opensuse:backports_sle:15.0:sp2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12108"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mail.python.org/pipermail/mailman-announce/",
"refsource": "MISC",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://mail.python.org/pipermail/mailman-announce/"
},
{
"name": "https://bugs.launchpad.net/mailman/+bug/1873722",
"refsource": "CONFIRM",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://bugs.launchpad.net/mailman/+bug/1873722"
},
{
"name": "https://code.launchpad.net/mailman",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://code.launchpad.net/mailman"
},
{
"name": "[debian-lts-announce] 20200507 [SECURITY] [DLA 2204-1] mailman security update",
"refsource": "MLIST",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00007.html"
},
{
"name": "openSUSE-SU-2020:0661",
"refsource": "SUSE",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00036.html"
},
{
"name": "USN-4354-1",
"refsource": "UBUNTU",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4354-1/"
},
{
"name": "openSUSE-SU-2020:0764",
"refsource": "SUSE",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00003.html"
},
{
"name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2276-1] mailman security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00007.html"
},
{
"name": "FEDORA-2020-62f2df3ca4",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74EQIVFB34Q4UYAQLCUWG55YLKAUWCHD/"
},
{
"name": "openSUSE-SU-2020:1707",
"refsource": "SUSE",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00047.html"
},
{
"name": "openSUSE-SU-2020:1752",
"refsource": "SUSE",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00063.html"
},
{
"name": "DSA-4991",
"refsource": "DEBIAN",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4991"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6
}
},
"lastModifiedDate": "2021-12-02T19:30Z",
"publishedDate": "2020-05-06T15:15Z"
}
}
}
ghsa-67xg-7gqq-pccf
Vulnerability from github
Published
2022-05-24 17:17
Modified
2022-05-24 17:17
VLAI Severity ?
Details
/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection.
{
"affected": [],
"aliases": [
"CVE-2020-12108"
],
"database_specific": {
"cwe_ids": [
"CWE-74"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-05-06T15:15:00Z",
"severity": "MODERATE"
},
"details": "/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection.",
"id": "GHSA-67xg-7gqq-pccf",
"modified": "2022-05-24T17:17:16Z",
"published": "2022-05-24T17:17:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12108"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/mailman/+bug/1873722"
},
{
"type": "WEB",
"url": "https://code.launchpad.net/mailman"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74EQIVFB34Q4UYAQLCUWG55YLKAUWCHD"
},
{
"type": "WEB",
"url": "https://mail.python.org/pipermail/mailman-announce"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4354-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4991"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00036.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00003.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00047.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00063.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…