openSUSE Security Update: Security update for mailman ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:1452-1 Rating: important References: #1047218 #1191959 #1191960 Cross-References: CVE-2021-42096 CVE-2021-42097 CVSS scores: CVE-2021-42096 (SUSE): 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-42097 (SUSE): 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N Affected Products: openSUSE Backports SLE-15-SP2 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for mailman fixes the following issues: Update to 2.1.35 to fix 2 security issues: - A potential for for a list member to carry out an off-line brute force attack to obtain the list admin password has been reported by Andre Protas, Richard Cloke and Andy Nuttall of Apple. This is fixed. CVE-2021-42096 (boo#1191959, LP:#1947639) - A CSRF attack via the user options page could allow takeover of a users account. This is fixed. CVE-2021-42097 (boo#1191960, LP:#1947640) - make package build reproducible (boo#1047218) This update was imported from the openSUSE:Leap:15.2:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP2: zypper in -t patch openSUSE-2021-1452=1 Package List: - openSUSE Backports SLE-15-SP2 (aarch64 ppc64le s390x x86_64): mailman-2.1.35-bp152.7.6.1 References: https://www.suse.com/security/cve/CVE-2021-42096.html https://www.suse.com/security/cve/CVE-2021-42097.html https://bugzilla.suse.com/1047218 https://bugzilla.suse.com/1191959 https://bugzilla.suse.com/1191960