openSUSE Security Update : mailman (openSUSE-2019-495)

medium Nessus Plugin ID 123204

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for mailman to version 2.1.27 fixes the following issues :

This security issue was fixed :

- CVE-2018-0618: Additional protections against injecting scripts into listinfo and error messages pages (bsc#1099510).

These non-security issues were fixed :

- The hash generated when SUBSCRIBE_FORM_SECRET is set could have been the same as one generated at the same time for a different list and IP address.

- An option has been added to bin/add_members to issue invitations instead of immediately adding members.

- A new BLOCK_SPAMHAUS_LISTED_IP_SUBSCRIBE setting has been added to enable blocking web subscribes from IPv4 addresses listed in Spamhaus SBL, CSS or XBL. It will work with IPv6 addresses if Python's py2-ipaddress module is installed. The module can be installed via pip if not included in your Python.

- Mailman has a new 'security' log and logs authentication failures to the various web CGI functions. The logged data include the remote IP and can be used to automate blocking of IPs with something like fail2ban. Since Mailman 2.1.14, these have returned an http 401 status and the information should be logged by the web server, but this new log makes that more convenient. Also, the 'mischief' log entries for 'hostile listname' noe include the remote IP if available.

- admin notices of (un)subscribes now may give the source of the action. This consists of a %(whence)s replacement that has been added to the admin(un)subscribeack.txt templates. Thanks to Yasuhito FUTATSUKI for updating the non-English templates and help with internationalizing the reasons.

- there is a new BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE setting to enable blocking web subscribes for addresses in domains listed in the Spamhaus DBL.

Solution

Update the affected mailman packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1099510

Plugin Details

Severity: Medium

ID: 123204

File Name: openSUSE-2019-495.nasl

Version: 1.6

Type: local

Agent: unix

Published: 3/27/2019

Updated: 6/11/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Low

Base Score: 3.5

Temporal Score: 2.6

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2018-0618

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:mailman-debugsource, cpe:/o:novell:opensuse:15.0, p-cpe:/a:novell:opensuse:mailman-debuginfo, p-cpe:/a:novell:opensuse:mailman

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 3/23/2019

Vulnerability Publication Date: 7/26/2018

Reference Information

CVE: CVE-2018-0618