Lucene search

DebianDEBIAN:DLA-2276-1:BF609

HistoryJul 10, 2020 - 7:59 p.m.

[SECURITY] [DLA 2276-1] mailman security update

2020-07-1019:59:32

lists.debian.org

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

AI Score

6.8

Confidence

Low

EPSS

0.009

Percentile

83.4%

JSON

Debian LTS Advisory DLA-2276-1 [email protected]
https://www.debian.org/lts/security/ Utkarsh Gupta
July 10, 2020 https://wiki.debian.org/LTS

Package : mailman
Version : 1:2.1.23-1+deb9u6
CVE ID : CVE-2020-12108 CVE-2020-15011

The following CVEs were reported against src:mailman.

CVE-2020-12108

/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary
Content Injection.

CVE-2020-15011

GNU Mailman before 2.1.33 allows arbitrary content injection via
the Cgi/private.py private archive login page.

For Debian 9 stretch, these problems have been fixed in version
1:2.1.23-1+deb9u6.

We recommend that you upgrade your mailman packages.

For the detailed security status of mailman please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mailman

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Best,
Utkarsh

OSVersionArchitecturePackageVersionFilename
Debian9armelmailman< 1:2.1.23-1+deb9u6mailman_1:2.1.23-1+deb9u6_armel.deb
Debian10armelmailman-dbgsym< 1:2.1.29-1+deb10u2mailman-dbgsym_1:2.1.29-1+deb10u2_armel.deb
Debian8armhfmailman< 1:2.1.18-2+deb8u7mailman_1:2.1.18-2+deb8u7_armhf.deb
Debian10armhfmailman-dbgsym< 1:2.1.29-1+deb10u2mailman-dbgsym_1:2.1.29-1+deb10u2_armhf.deb
Debian8allmailman< 1:2.1.18-2+deb8u7mailman_1:2.1.18-2+deb8u7_all.deb
Debian10s390xmailman< 1:2.1.29-1+deb10u2mailman_1:2.1.29-1+deb10u2_s390x.deb
Debian10arm64mailman-dbgsym< 1:2.1.29-1+deb10u2mailman-dbgsym_1:2.1.29-1+deb10u2_arm64.deb
Debian10ppc64elmailman< 1:2.1.29-1+deb10u2mailman_1:2.1.29-1+deb10u2_ppc64el.deb
Debian10mipselmailman-dbgsym< 1:2.1.29-1+deb10u2mailman-dbgsym_1:2.1.29-1+deb10u2_mipsel.deb
Debian10mipselmailman< 1:2.1.29-1+deb10u2mailman_1:2.1.29-1+deb10u2_mipsel.deb

OS	Version	Architecture	Package	Version	Filename
Debian	9	armel	mailman	< 1:2.1.23-1+deb9u6	mailman_1:2.1.23-1+deb9u6_armel.deb
Debian	10	armel	mailman-dbgsym	< 1:2.1.29-1+deb10u2	mailman-dbgsym_1:2.1.29-1+deb10u2_armel.deb
Debian	8	armhf	mailman	< 1:2.1.18-2+deb8u7	mailman_1:2.1.18-2+deb8u7_armhf.deb
Debian	10	armhf	mailman-dbgsym	< 1:2.1.29-1+deb10u2	mailman-dbgsym_1:2.1.29-1+deb10u2_armhf.deb
Debian	8	all	mailman	< 1:2.1.18-2+deb8u7	mailman_1:2.1.18-2+deb8u7_all.deb
Debian	10	s390x	mailman	< 1:2.1.29-1+deb10u2	mailman_1:2.1.29-1+deb10u2_s390x.deb
Debian	10	arm64	mailman-dbgsym	< 1:2.1.29-1+deb10u2	mailman-dbgsym_1:2.1.29-1+deb10u2_arm64.deb
Debian	10	ppc64el	mailman	< 1:2.1.29-1+deb10u2	mailman_1:2.1.29-1+deb10u2_ppc64el.deb
Debian	10	mipsel	mailman-dbgsym	< 1:2.1.29-1+deb10u2	mailman-dbgsym_1:2.1.29-1+deb10u2_mipsel.deb
Debian	10	mipsel	mailman	< 1:2.1.29-1+deb10u2	mailman_1:2.1.29-1+deb10u2_mipsel.deb