mailman-2.1.12-25.AXS4

エラータID: AXSA:2015-303:01

Release date: 
Monday, August 10, 2015 - 16:07
Subject: 
mailman-2.1.12-25.AXS4
Affected Channels: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
Moderate
Description: 

Mailman is software to help manage email discussion lists, much like
Majordomo and Smartmail. Unlike most similar products, Mailman gives
each mailing list a webpage, and allows users to subscribe,
unsubscribe, etc. over the Web. Even the list manager can administer
his or her list entirely from the Web. Mailman also integrates most
things people want to do with mailing lists, including archiving, mail
<-> news gateways, and so on.

Security issues fixed with this release:

CVE-2002-0389
CVE-2015-2775

Fixed bugs:

* Previously, it was impossible to configure Mailman in a way that Domain-based
Message Authentication, Reporting & Conformance (DMARC) would recognize
Sender alignment for Domain Key Identified Mail (DKIM) signatures. Consequently,
Mailman list subscribers that belonged to a mail server with a "reject" policy
for DMARC, such as yahoo.com or AOL.com, were unable to receive Mailman
forwarded messages from senders residing in any domain that provided DKIM
signatures. With this update, the bug was fixed.
* Mailman used a console encoding when generating a subject for a "welcome
email" when new mailing lists were created by the "newlist" command.
Consequently, when the console encoding did not match the encoding used by
Mailman for that particular language, characters in the "welcome email" could be
displayed incorrectly. With this update, the problem was fixed.
* The "rmlist" command used a hardcoded path to list data based on the
VAR_PREFIX configuration variable. As a consequence, when the list was created
outside of VAR_PREFIX, it was impossible to remove it using the "rmlist"
command. With this update, this bug was fixed.
* Due to an incompatibility between Python and Mailman in Asianux Server 4,
when moderators were approving a moderated message to a mailing list
and checked the "Preserve messages for the site administrator" checkbox, Mailman
failed to approve the message and returned an error. This incompatibility has
been fixed with this update.
* When Mailman was set to not archive a list but the archive was not set to
private, attachments sent to that list were placed in a public archive.
Consequently, users of Mailman web interface could list private attachments
because httpd configuration of public archive directory allows listing all files
in the archive directory. The httpd configuration of Mailman has been fixed in
this update.

Solution: 

Update packages.

CVEs: 
CVE-2002-0389
Pipermail in Mailman stores private mail messages with predictable filenames in a world-executable directory, which allows local users to read private mailing list archives.
CVE-2015-2775
Directory traversal vulnerability in GNU Mailman before 2.1.20, when not using a static alias, allows remote attackers to execute arbitrary files via a .. (dot dot) in a list name.
Additional Info: 

N/A

Download: 

SRPMS
  1. mailman-2.1.12-25.AXS4.src.rpm
    MD5: 933f61cc5184c3b09f61b0075ee6a7b6
    SHA-256: 8930dbe130f42d80d1b7f8eb2be965bcc586725d9a5d3201ee7a2f04114cbd7d
    Size: 8.98 MB

Asianux Server 4 for x86
  1. mailman-2.1.12-25.AXS4.i686.rpm
    MD5: a95beb9308b7c587cfc8cbc729ef053e
    SHA-256: 74e1545c2ebb36805c83109cf75e4f9f0012997ac69cfd303be8f87aac9a82d9
    Size: 7.33 MB

Asianux Server 4 for x86_64
  1. mailman-2.1.12-25.AXS4.x86_64.rpm
    MD5: 7f9a00a90ed25ca334664dfe71530a50
    SHA-256: b60eac189e3031a24e7e6db98e9f43c198f61ee77bbfebc1d9c3be3fbca000c2
    Size: 7.35 MB