mailman-2.1.23-1.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10215-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z mailman-2.1.23-1.2 on GA media These are all security issues fixed in the mailman-2.1.23-1.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10215 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2011-0707/ SUSE CVE CVE-2011-0707 page https://www.suse.com/security/cve/CVE-2015-2775/ SUSE CVE CVE-2015-2775 page https://www.suse.com/security/cve/CVE-2016-6893/ SUSE CVE CVE-2016-6893 page openSUSE Tumbleweed mailman-2.1.23-1.2 mailman-2.1.23-1.2 as a component of openSUSE Tumbleweed Multiple cross-site scripting (XSS) vulnerabilities in Cgi/confirm.py in GNU Mailman 2.1.14 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) full name or (2) username field in a confirmation message. CVE-2011-0707 openSUSE Tumbleweed:mailman-2.1.23-1.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-0707.html CVE-2011-0707 https://bugzilla.suse.com/671745 SUSE Bug 671745 Directory traversal vulnerability in GNU Mailman before 2.1.20, when not using a static alias, allows remote attackers to execute arbitrary files via a .. (dot dot) in a list name. CVE-2015-2775 openSUSE Tumbleweed:mailman-2.1.23-1.2 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-2775.html CVE-2015-2775 https://bugzilla.suse.com/925502 SUSE Bug 925502 Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x before 2.1.23 allows remote attackers to hijack the authentication of arbitrary users for requests that modify an option, as demonstrated by gaining access to the credentials of a victim's account. CVE-2016-6893 openSUSE Tumbleweed:mailman-2.1.23-1.2 low 3.5 AV:N/AC:M/Au:S/C:P/I:N/A:N 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6893.html CVE-2016-6893 https://bugzilla.suse.com/995352 SUSE Bug 995352 https://bugzilla.suse.com/997205 SUSE Bug 997205