SuSE Local Security Checks : openSUSE: Security Advisory for Recommended (openSUSE-SU-2020:1707-1)

Búsqueda de Vulnerabilidad		Buscar 191973 Descripciones CVE y 86218 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.853514

Categoría: SuSE Local Security Checks

Título: openSUSE: Security Advisory for Recommended (openSUSE-SU-2020:1707-1)

Resumen: The remote host is missing an update for the 'Recommended'; package(s) announced via the openSUSE-SU-2020:1707-1 advisory.

Descripción: Summary:
The remote host is missing an update for the 'Recommended'
package(s) announced via the openSUSE-SU-2020:1707-1 advisory.

Vulnerability Insight:
This update for mailman to version 2.1.34 fixes the following issues:

- The fix for lp#1859104 can result in ValueError being thrown
on attempts to subscribe to a list. This is fixed and extended to apply
REFUSE_SECOND_PENDING to unsubscription as well. (lp#1878458)

- DMARC mitigation no longer misses if the domain name returned by DNS
contains upper case. (lp#1881035)

- A new WARN_MEMBER_OF_SUBSCRIBE setting can be set to No to prevent
mailbombing of a member of a list with private rosters by repeated
subscribe attempts. (lp#1883017)

- Very long filenames for scrubbed attachments are now truncated.
(lp#1884456)

- A content injection vulnerability via the private login page has been
fixed. CVE-2020-15011 (lp#1877379, bsc#1173369)

- A content injection vulnerability via the options login page has been
discovered and reported by Vishal Singh. CVE-2020-12108 (lp#1873722,
bsc#1171363)

- Bounce recognition for a non-compliant Yahoo format is added.

- Archiving workaround for non-ascii in string.lowercase in some Python
packages is added.

- Thanks to Jim Popovitch, there is now a dmarc_moderation_addresses list
setting that can be used to apply dmarc_moderation_action to mail From:
addresses listed
or matching listed regexps. This can be used to modify mail to
addresses that don't accept external mail From: themselves.

- There is a new MAX_LISTNAME_LENGTH setting. The fix for lp#1780874
obtains a list of the names of all the all the lists in the
installation in order to determine the maximum length of a legitimate
list name. It does this on every web access and on sites with a very
large number of lists, this can have performance implications. See the
description in Defaults.py for more information.

- Thanks to Ralf Jung there is now the ability to add text based captchas
(aka textchas) to the listinfo subscribe form. See the documentation
for the new CAPTCHA setting in Defaults.py for how to enable this. Also
note that if you have custom listinfo.html templates, you will have to
add a tag to those templates to make this work. This
feature can be used in combination with or instead of the Google
reCAPTCHA feature added in 2.1.26.

- Thanks to Ralf Hildebrandt the web admin Membership Management section
now has a feature to sync the list's membership with a list of email
addresses as with the bin/sync_members command.

- There is a new drop_cc list attribute set from DEFAULT_DROP_CC. This
controls the dropping of addresses from the Cc: header in delivered
messages by the duplicate avoidance ...

Description truncated. Please see the references for more information.

Affected Software/OS:
'Recommended' package(s) on openSUSE Leap 15.2.

Solution:
Please install the updated package(s).

CVSS Score:
4.3

CVSS Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2020-12108
Common Vulnerability Exposure (CVE) ID: CVE-2020-12137
Common Vulnerability Exposure (CVE) ID: CVE-2020-15011

Copyright Copyright (C) 2020 Greenbone Networks GmbH

Esta es sólo una de 86218 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.853514
Categoría:	SuSE Local Security Checks
Título:	openSUSE: Security Advisory for Recommended (openSUSE-SU-2020:1707-1)
Resumen:	The remote host is missing an update for the 'Recommended'; package(s) announced via the openSUSE-SU-2020:1707-1 advisory.
Descripción:	Summary: The remote host is missing an update for the 'Recommended' package(s) announced via the openSUSE-SU-2020:1707-1 advisory. Vulnerability Insight: This update for mailman to version 2.1.34 fixes the following issues: - The fix for lp#1859104 can result in ValueError being thrown on attempts to subscribe to a list. This is fixed and extended to apply REFUSE_SECOND_PENDING to unsubscription as well. (lp#1878458) - DMARC mitigation no longer misses if the domain name returned by DNS contains upper case. (lp#1881035) - A new WARN_MEMBER_OF_SUBSCRIBE setting can be set to No to prevent mailbombing of a member of a list with private rosters by repeated subscribe attempts. (lp#1883017) - Very long filenames for scrubbed attachments are now truncated. (lp#1884456) - A content injection vulnerability via the private login page has been fixed. CVE-2020-15011 (lp#1877379, bsc#1173369) - A content injection vulnerability via the options login page has been discovered and reported by Vishal Singh. CVE-2020-12108 (lp#1873722, bsc#1171363) - Bounce recognition for a non-compliant Yahoo format is added. - Archiving workaround for non-ascii in string.lowercase in some Python packages is added. - Thanks to Jim Popovitch, there is now a dmarc_moderation_addresses list setting that can be used to apply dmarc_moderation_action to mail From: addresses listed or matching listed regexps. This can be used to modify mail to addresses that don't accept external mail From: themselves. - There is a new MAX_LISTNAME_LENGTH setting. The fix for lp#1780874 obtains a list of the names of all the all the lists in the installation in order to determine the maximum length of a legitimate list name. It does this on every web access and on sites with a very large number of lists, this can have performance implications. See the description in Defaults.py for more information. - Thanks to Ralf Jung there is now the ability to add text based captchas (aka textchas) to the listinfo subscribe form. See the documentation for the new CAPTCHA setting in Defaults.py for how to enable this. Also note that if you have custom listinfo.html templates, you will have to add a tag to those templates to make this work. This feature can be used in combination with or instead of the Google reCAPTCHA feature added in 2.1.26. - Thanks to Ralf Hildebrandt the web admin Membership Management section now has a feature to sync the list's membership with a list of email addresses as with the bin/sync_members command. - There is a new drop_cc list attribute set from DEFAULT_DROP_CC. This controls the dropping of addresses from the Cc: header in delivered messages by the duplicate avoidance ... Description truncated. Please see the references for more information. Affected Software/OS: 'Recommended' package(s) on openSUSE Leap 15.2. Solution: Please install the updated package(s). CVSS Score: 4.3 CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2020-12108 Common Vulnerability Exposure (CVE) ID: CVE-2020-12137 Common Vulnerability Exposure (CVE) ID: CVE-2020-15011
Copyright	Copyright (C) 2020 Greenbone Networks GmbH