OESA-2021-1405
- Source
- https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1405
- Import Source
- https://repo.openeuler.org/security/data/osv/OESA-2021-1405.json
- JSON Data
- https://api.osv.dev/v1/vulns/OESA-2021-1405
- Upstream
- Published
- 2021-10-30T11:03:18Z
- Modified
- 2025-09-03T06:16:57.033814Z
- Summary
- mailman security update
- Details
-
Mailman is free software for managing electronic mail discussion and e-newsletter lists. Mailman is integrated with the web, making it easy for users to manage their accounts and for list owners to administer their lists. Mailman supports built-in archiving, automatic bounce processing, content filtering, digest delivery, spam filters, and more.
Security Fix(es):
/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection.(CVE-2020-12108)
GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.(CVE-2020-12137)
GNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login page.(CVE-2020-15011)
GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived from the admin password, and may be useful in conducting a brute-force attack against that password.(CVE-2021-42096)
GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover).(CVE-2021-42097)
- Database specific
{ "severity": "High" }- References
-
- https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1405
- https://nvd.nist.gov/vuln/detail/CVE-2020-12108
- https://nvd.nist.gov/vuln/detail/CVE-2020-12137
- https://nvd.nist.gov/vuln/detail/CVE-2020-15011
- https://nvd.nist.gov/vuln/detail/CVE-2021-42096
- https://nvd.nist.gov/vuln/detail/CVE-2021-42097
Affected packages
openEuler:20.03-LTS-SP1 / mailman
Package
- Name
- mailman
- Purl
- pkg:rpm/openEuler/mailman&distro=openEuler-20.03-LTS-SP1
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.1.29-8.oe1
Ecosystem specific
{
"x86_64": [
"mailman-2.1.29-8.oe1.x86_64.rpm",
"mailman-debuginfo-2.1.29-8.oe1.x86_64.rpm",
"mailman-debugsource-2.1.29-8.oe1.x86_64.rpm"
],
"aarch64": [
"mailman-debugsource-2.1.29-8.oe1.aarch64.rpm",
"mailman-debuginfo-2.1.29-8.oe1.aarch64.rpm",
"mailman-2.1.29-8.oe1.aarch64.rpm"
],
"src": [
"mailman-2.1.29-8.oe1.src.rpm"
]
}
openEuler:20.03-LTS-SP2 / mailman
Package
- Name
- mailman
- Purl
- pkg:rpm/openEuler/mailman&distro=openEuler-20.03-LTS-SP2
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.1.29-8.oe1
Ecosystem specific
{
"x86_64": [
"mailman-2.1.29-8.oe1.x86_64.rpm",
"mailman-debuginfo-2.1.29-8.oe1.x86_64.rpm",
"mailman-debugsource-2.1.29-8.oe1.x86_64.rpm"
],
"aarch64": [
"mailman-debugsource-2.1.29-8.oe1.aarch64.rpm",
"mailman-debuginfo-2.1.29-8.oe1.aarch64.rpm",
"mailman-2.1.29-8.oe1.aarch64.rpm"
],
"src": [
"mailman-2.1.29-8.oe1.src.rpm"
]
}