Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.4093 mailman security updates 3 December 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: mailman Publisher: Red Hat Operating System: Red Hat Impact/Access: Increased Privileges -- Existing Account Cross-site Request Forgery -- Existing Account Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-44227 CVE-2021-42097 CVE-2016-6893 Reference: ESB-2021.3997 ESB-2021.3987 ESB-2016.2186 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:4913 https://access.redhat.com/errata/RHSA-2021:4915 https://access.redhat.com/errata/RHSA-2021:4916 Comment: This bulletin contains three (3) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: mailman security update Advisory ID: RHSA-2021:4913-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:4913 Issue date: 2021-12-02 CVE Names: CVE-2016-6893 CVE-2021-42097 CVE-2021-44227 ===================================================================== 1. Summary: An update for mailman is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: Mailman is a program used to help manage e-mail discussion lists. Security Fix(es): * mailman: CSRF token bypass allows to perform CSRF attacks and account takeover (CVE-2021-42097) * mailman: CSRF token bypass allows to perform CSRF attacks and admin takeover (CVE-2021-44227) * mailman: CSRF protection missing in the user options page (CVE-2016-6893) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1370155 - CVE-2016-6893 mailman: CSRF protection missing in the user options page 2020568 - CVE-2021-42097 mailman: CSRF token bypass allows to perform CSRF attacks and account takeover 2026862 - CVE-2021-44227 mailman: CSRF token bypass allows to perform CSRF attacks and admin takeover 6. Package List: Red Hat Enterprise Linux Server (v. 7): Source: mailman-2.1.15-30.el7_9.2.src.rpm ppc64: mailman-2.1.15-30.el7_9.2.ppc64.rpm mailman-debuginfo-2.1.15-30.el7_9.2.ppc64.rpm ppc64le: mailman-2.1.15-30.el7_9.2.ppc64le.rpm mailman-debuginfo-2.1.15-30.el7_9.2.ppc64le.rpm s390x: mailman-2.1.15-30.el7_9.2.s390x.rpm mailman-debuginfo-2.1.15-30.el7_9.2.s390x.rpm x86_64: mailman-2.1.15-30.el7_9.2.x86_64.rpm mailman-debuginfo-2.1.15-30.el7_9.2.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: mailman-2.1.15-30.el7_9.2.src.rpm x86_64: mailman-2.1.15-30.el7_9.2.x86_64.rpm mailman-debuginfo-2.1.15-30.el7_9.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-6893 https://access.redhat.com/security/cve/CVE-2021-42097 https://access.redhat.com/security/cve/CVE-2021-44227 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYakv19zjgjWX9erEAQiEdBAAplbfwttVm3BO1wu4RvR70KWh6bHNCG4o jx0OpF6BPq85FUCjc2o+NGFwiZGLO2cCs4p3zPDIvzT28VqIGg2n8KD1CGquAME7 M11TTGHhnqA9AZwIeTCEJ0ay6qjj/XTawjSGse9BEqlKlZ3BXpPiGz/4biOL4njV aCcupNdYU26K8XRzMhBv32+4t7mO4YmaX+RHKXNRXKBKsWujuxM63MZ/fwr/ZfnZ jBmmCjxMkskjqzNcX6NieK9OzFqbkvVmc10jeo31fJFz0kfif7nNj8dXi2OO9XYc 2XfP2OCh73X14LLFYkmF0F1Nsjo0W0gJpDLIFGSsyhu6nl2Q2Lann7GxUyrytvN3 NrB3MvALCojfsmsRrlWcc/MuIb0jgwPR5untJqUjkNCSjoW+9es+EE53n0JeftT3 6VGfiB9swdd/3WX+VX5sk+EtYqBrf+IDY+dvggGYqRkniqpAjpES1OGI8ecEZ6FG cvS0dlzjvhUShnbpV7/4at8jYdx9oZ3Kkoiq9kulx/qsWkmAwXsKSjzg/2jO+wuu alXahvuQIdWBlp5Y4UGsG6CnMJzPfG6yDGJHHj9rjX2FOmuepMeFBYtKBazhCq1s u4JbrzRKqk0ZCDUZuuB2pt76Sn6BkL+J9bu5EH1UV3fUob2botWBSTqrQtmT7N3T vKqFDbgZPGs= =qEWu - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: mailman:2.1 security update Advisory ID: RHSA-2021:4915-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:4915 Issue date: 2021-12-02 CVE Names: CVE-2021-44227 ===================================================================== 1. Summary: An update for the mailman:2.1 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, ppc64le, s390x, x86_64 3. Description: Mailman is a program used to help manage e-mail discussion lists. Security Fix(es): * mailman: CSRF token bypass allows to perform CSRF attacks and admin takeover (CVE-2021-44227) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2026862 - CVE-2021-44227 mailman: CSRF token bypass allows to perform CSRF attacks and admin takeover 6. Package List: Red Hat Enterprise Linux AppStream EUS (v.8.4): Source: mailman-2.1.29-11.module+el8.4.0+13467+746daedf.2.src.rpm aarch64: mailman-2.1.29-11.module+el8.4.0+13467+746daedf.2.aarch64.rpm mailman-debuginfo-2.1.29-11.module+el8.4.0+13467+746daedf.2.aarch64.rpm mailman-debugsource-2.1.29-11.module+el8.4.0+13467+746daedf.2.aarch64.rpm ppc64le: mailman-2.1.29-11.module+el8.4.0+13467+746daedf.2.ppc64le.rpm mailman-debuginfo-2.1.29-11.module+el8.4.0+13467+746daedf.2.ppc64le.rpm mailman-debugsource-2.1.29-11.module+el8.4.0+13467+746daedf.2.ppc64le.rpm s390x: mailman-2.1.29-11.module+el8.4.0+13467+746daedf.2.s390x.rpm mailman-debuginfo-2.1.29-11.module+el8.4.0+13467+746daedf.2.s390x.rpm mailman-debugsource-2.1.29-11.module+el8.4.0+13467+746daedf.2.s390x.rpm x86_64: mailman-2.1.29-11.module+el8.4.0+13467+746daedf.2.x86_64.rpm mailman-debuginfo-2.1.29-11.module+el8.4.0+13467+746daedf.2.x86_64.rpm mailman-debugsource-2.1.29-11.module+el8.4.0+13467+746daedf.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-44227 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYakvzdzjgjWX9erEAQhhwQ//Z4R8b7PLKZztRevFCwaW2BQszTANLO9y s+0jZNPz6RaMG52ycjoatoFERRZRyeyJFwElrzM9UclfZbcoFch5JHlm8/NwsgU1 ZOxKS2XScoWXGiuFmmJSf6KDMcL0uKWSBzDk8mGoNX72yh09iErVS2nT1boLGvex BDO//ZEe6FZ5wjIklpthrnln/AMFemHabTob6nuIlrC6/HnOVZPHBWKBA2S88scg hBwa+D6o98Hhp450AFlmHvh3fxREXxZCYqnCwaixZTn/KKaufCEpfSrM2GdXDSGc 3YsEJPFtqfS1FxE8R75xhp8PptnLKz0zHxQmDqD57TDJw36kNj26qbILFm7BGi63 t0Fv3BdQ3aR4WCN7Qfw6hA8udlOdZt1Kl8oooBU3Ubiuz62T3JasfZqEn/rYUbMz OPtXKUK0Wtowq2If9So4+oTfQkcOArJNTMBDxREme2lr2DgdYu2LDqHoC54tSHZU FFZScbNF0z6/8CmW4ohUgKAiuvrBA2aM5ozllkVH19+rnn/kIYLSLDram6bZO813 PV2PFx6Tpee5AoI54FKbxbx5pcu1ZofcJKTs/d7klRYV3L7mp5v8h3XyK0iYSqVc YUr5cgTuMWKyubt4Om5N+XfKMDj1PqLBP4ivYNjYG0aaQZYGh16GAxuAXtxdbpke eRVtgp1dOX0= =kv2V - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: mailman:2.1 security update Advisory ID: RHSA-2021:4916-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:4916 Issue date: 2021-12-02 CVE Names: CVE-2021-44227 ===================================================================== 1. Summary: An update for the mailman:2.1 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: Mailman is a program used to help manage e-mail discussion lists. Security Fix(es): * mailman: CSRF token bypass allows to perform CSRF attacks and admin takeover (CVE-2021-44227) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2026862 - CVE-2021-44227 mailman: CSRF token bypass allows to perform CSRF attacks and admin takeover 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: mailman-2.1.29-12.module+el8.5.0+13466+327eb9f3.2.src.rpm aarch64: mailman-2.1.29-12.module+el8.5.0+13466+327eb9f3.2.aarch64.rpm mailman-debuginfo-2.1.29-12.module+el8.5.0+13466+327eb9f3.2.aarch64.rpm mailman-debugsource-2.1.29-12.module+el8.5.0+13466+327eb9f3.2.aarch64.rpm ppc64le: mailman-2.1.29-12.module+el8.5.0+13466+327eb9f3.2.ppc64le.rpm mailman-debuginfo-2.1.29-12.module+el8.5.0+13466+327eb9f3.2.ppc64le.rpm mailman-debugsource-2.1.29-12.module+el8.5.0+13466+327eb9f3.2.ppc64le.rpm s390x: mailman-2.1.29-12.module+el8.5.0+13466+327eb9f3.2.s390x.rpm mailman-debuginfo-2.1.29-12.module+el8.5.0+13466+327eb9f3.2.s390x.rpm mailman-debugsource-2.1.29-12.module+el8.5.0+13466+327eb9f3.2.s390x.rpm x86_64: mailman-2.1.29-12.module+el8.5.0+13466+327eb9f3.2.x86_64.rpm mailman-debuginfo-2.1.29-12.module+el8.5.0+13466+327eb9f3.2.x86_64.rpm mailman-debugsource-2.1.29-12.module+el8.5.0+13466+327eb9f3.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-44227 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYakvw9zjgjWX9erEAQgISA/8DSmaBO4dXKABCam4VpLzfKN8HbvBSsJ9 mNFDzFki3Pm4R1LYQPgBT3kc/dfOGvsetu08YOGzNl23RDCvzSxYeRG9ZZkLDULc qT2ndWnd8c6LGYCTYqBVqyxyMkKrrbtB6RabCTfx49MYakRMcJHfgUWaoIxi+3Fs PYIQ8lu/uyD6dYN1q4buuOjBuOq1scJ1n8UmLzedxxkRbMVNlLXWAmoqPfg/moxF /EZcprvGYXJoYsDJTbTXguxaDtZ1sYuimTzraKLkdyu/etlghG5CoahQNbZpZdbV nxBErMcl661KXQ+XNkrQOuX9P7Hy2wgGS4VkwD9wjaD5fnxB5QjJv90s3UiEFnsR xucBp2b/X633tfB+yEpj+mEkz3N+SZiSgKUDJw7ONRRPs4HtOUdZYsCDAzzJHlQC GqqkJnD/dR7F6aeVgiUL1MrNbptLfMSea7YXddrEqGiImTOWfNrh9o+aL2qMOQZW mNuSKjcrOcHwzDKNY0lgnJfdktuHUeAQKvGq5nyYafDAWRX1oYS9EwWBgX25XNss 3+vMFOTth0SIoumSZltxPCCWReY8l/y/9on4EyLuG4LKAgm5+0ydBnfQ6DNe8JHn PKcDzFGk6x8aZzm37U6CMkCJHai7gtK5/whBFStSXqvTP5npOEcWBdQwyzXco/ut OVeQN2WsUuM= =O1dT - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYalUzONLKJtyKPYoAQhlUQ//YyC6nS3CHB9S/V2DyAutUAn38y0g0wR/ 6EyXDJicgu9yGXbulaZgQqCeIXzTiPZZlLKEJCUvk8ZDxsXXFxO+QfTZns1aAUb1 Pzl2nKKu0YEK0mDtOwn3r/Ve9vZROWZtOMC/PHWilkZgIibo9ktg/WzO9D8FAmj9 vo682T3BUm+oWK34k/r9fRFcXiM3Z1LqJDmT4UCjuweQB1JTlOsF7/S39ezdO2Wx YXdb3EqzWf/7jpRkP+k99LrmkJKkn1ZS2RTQiDXQ5kW31Tzw/sswfU2FaU4fMGcu PM5G7gxL6lK7h3ibBna6ZLpqtIOP4IxncS628Gleh58cQwdCJjxLH9G5SmCNuzsv 2kwQ09Lhyj+WcZIpjRzyOaprGICDWzn4//uHT2WTL8OCn72suzvwHon6crvmz3oS Hwf4BLkCaj+8F9AFvVFoiMB27bgUQ0ZSqZR+Skmk93vpWk00xyjyDaMydJSojL+b eBz+FudFIPXP/l26cGw/v5bgHAXFzay2FBBUqZ2MuKWM5kkJQ4z/cFKGqh3Q4HQX AawKe9G9H1VVOX8+w4bRHtDTI0cJerBVCLoRbpZ180gHiMRxeNtRg/wA5cNTlnZ7 +KXbLYq3v6oYQxf3UbPEk6xeJ6Zm5yJN1+zGVq7l+Xa+8j/iaDRLea6jxEpw0AJ/ 03z6U8Gvq3k= =okAg -----END PGP SIGNATURE-----