Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2020-12137 (GCVE-0-2020-12137)
Vulnerability from cvelistv5
Published
2020-04-24 12:37
Modified
2024-08-04 11:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:48:58.357Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2020/02/24/2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2020/02/24/3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS"
},
{
"name": "[oss-security] 20200424 Re: mailman 2.x: XSS via file attachments in list archives",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2020/04/24/3"
},
{
"name": "DSA-4664",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4664"
},
{
"name": "[debian-lts-announce] 20200503 [SECURITY] [DLA 2200-1] mailman security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00002.html"
},
{
"name": "USN-4348-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4348-1/"
},
{
"name": "FEDORA-2020-69f2f1d987",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4COSBBEMJYLV7WSW5QTUJUOFJFK47KK/"
},
{
"name": "FEDORA-2020-20b748e81e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6YCMGTTOXXCVM4O6CYZLTZDX6YLYORNF/"
},
{
"name": "openSUSE-SU-2020:1707",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00047.html"
},
{
"name": "openSUSE-SU-2020:1752",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00063.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-27T15:06:31",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openwall.com/lists/oss-security/2020/02/24/2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openwall.com/lists/oss-security/2020/02/24/3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS"
},
{
"name": "[oss-security] 20200424 Re: mailman 2.x: XSS via file attachments in list archives",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2020/04/24/3"
},
{
"name": "DSA-4664",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4664"
},
{
"name": "[debian-lts-announce] 20200503 [SECURITY] [DLA 2200-1] mailman security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00002.html"
},
{
"name": "USN-4348-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4348-1/"
},
{
"name": "FEDORA-2020-69f2f1d987",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4COSBBEMJYLV7WSW5QTUJUOFJFK47KK/"
},
{
"name": "FEDORA-2020-20b748e81e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6YCMGTTOXXCVM4O6CYZLTZDX6YLYORNF/"
},
{
"name": "openSUSE-SU-2020:1707",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00047.html"
},
{
"name": "openSUSE-SU-2020:1752",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00063.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12137",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.openwall.com/lists/oss-security/2020/02/24/2",
"refsource": "MISC",
"url": "https://www.openwall.com/lists/oss-security/2020/02/24/2"
},
{
"name": "https://www.openwall.com/lists/oss-security/2020/02/24/3",
"refsource": "MISC",
"url": "https://www.openwall.com/lists/oss-security/2020/02/24/3"
},
{
"name": "http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS",
"refsource": "MISC",
"url": "http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS"
},
{
"name": "[oss-security] 20200424 Re: mailman 2.x: XSS via file attachments in list archives",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2020/04/24/3"
},
{
"name": "DSA-4664",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4664"
},
{
"name": "[debian-lts-announce] 20200503 [SECURITY] [DLA 2200-1] mailman security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00002.html"
},
{
"name": "USN-4348-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4348-1/"
},
{
"name": "FEDORA-2020-69f2f1d987",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G4COSBBEMJYLV7WSW5QTUJUOFJFK47KK/"
},
{
"name": "FEDORA-2020-20b748e81e",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6YCMGTTOXXCVM4O6CYZLTZDX6YLYORNF/"
},
{
"name": "openSUSE-SU-2020:1707",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00047.html"
},
{
"name": "openSUSE-SU-2020:1752",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00063.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12137",
"datePublished": "2020-04-24T12:37:58",
"dateReserved": "2020-04-24T00:00:00",
"dateUpdated": "2024-08-04T11:48:58.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2020-12137\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2020-04-24T13:15:11.780\",\"lastModified\":\"2024-11-21T04:59:19.407\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.\"},{\"lang\":\"es\",\"value\":\"GNU Mailman versiones 2.x anteriores a la versi\u00f3n 2.1.30, usa una extensi\u00f3n .obj para partes MIME de aplications/octet-stream. Este comportamiento puede contribuir a ataques de tipo XSS contra visitantes de archivos de lista, porque una respuesta HTTP desde un servidor web de archivo puede carecer de un tipo MIME, y un navegador web puede realizar rastreo del MIME, concluir que el tipo MIME deber\u00eda haber sido text/html, y ejecutar c\u00f3digo JavaScript.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gnu:mailman:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0\",\"versionEndExcluding\":\"2.1.30\",\"matchCriteriaId\":\"DAEA26EA-3266-4B64-9B44-F554EA2944E8\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80F0FA5D-8D3B-4C0E-81E2-87998286AF33\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"36D96259-24BD-44E2-96D9-78CE1D41F956\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*\",\"matchCriteriaId\":\"7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensuse:backports_sle:15.0:sp2:*:*:*:*:*:*\",\"matchCriteriaId\":\"67E82302-4B77-44F3-97B1-24C18AC4A35D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B009C22E-30A4-4288-BCF6-C3E81DEAF45A\"}]}]}],\"references\":[{\"url\":\"http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00047.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00063.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2020/04/24/3\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/05/msg00002.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6YCMGTTOXXCVM4O6CYZLTZDX6YLYORNF/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4COSBBEMJYLV7WSW5QTUJUOFJFK47KK/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://usn.ubuntu.com/4348-1/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2020/dsa-4664\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.openwall.com/lists/oss-security/2020/02/24/2\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://www.openwall.com/lists/oss-security/2020/02/24/3\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00047.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00063.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2020/04/24/3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/05/msg00002.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6YCMGTTOXXCVM4O6CYZLTZDX6YLYORNF/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4COSBBEMJYLV7WSW5QTUJUOFJFK47KK/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://usn.ubuntu.com/4348-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2020/dsa-4664\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.openwall.com/lists/oss-security/2020/02/24/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://www.openwall.com/lists/oss-security/2020/02/24/3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]}]}}"
}
}
ghsa-7mvx-jp9h-p8gh
Vulnerability from github
Published
2022-05-24 17:16
Modified
2022-11-16 12:00
Severity ?
VLAI Severity ?
Details
GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.
{
"affected": [],
"aliases": [
"CVE-2020-12137"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-24T13:15:00Z",
"severity": "MODERATE"
},
"details": "GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.",
"id": "GHSA-7mvx-jp9h-p8gh",
"modified": "2022-11-16T12:00:20Z",
"published": "2022-05-24T17:16:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12137"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00002.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6YCMGTTOXXCVM4O6CYZLTZDX6YLYORNF"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G4COSBBEMJYLV7WSW5QTUJUOFJFK47KK"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4348-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4664"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2020/02/24/2"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2020/02/24/3"
},
{
"type": "WEB",
"url": "http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00047.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00063.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/04/24/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
fkie_cve-2020-12137
Vulnerability from fkie_nvd
Published
2020-04-24 13:15
Modified
2024-11-21 04:59
Severity ?
Summary
GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| gnu | mailman | * | |
| debian | debian_linux | 9.0 | |
| debian | debian_linux | 10.0 | |
| fedoraproject | fedora | 31 | |
| fedoraproject | fedora | 32 | |
| debian | debian_linux | 8.0 | |
| canonical | ubuntu_linux | 16.04 | |
| canonical | ubuntu_linux | 18.04 | |
| opensuse | backports_sle | 15.0 | |
| opensuse | leap | 15.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gnu:mailman:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DAEA26EA-3266-4B64-9B44-F554EA2944E8",
"versionEndExcluding": "2.1.30",
"versionStartIncluding": "2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
"matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
"matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*",
"matchCriteriaId": "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opensuse:backports_sle:15.0:sp2:*:*:*:*:*:*",
"matchCriteriaId": "67E82302-4B77-44F3-97B1-24C18AC4A35D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code."
},
{
"lang": "es",
"value": "GNU Mailman versiones 2.x anteriores a la versi\u00f3n 2.1.30, usa una extensi\u00f3n .obj para partes MIME de aplications/octet-stream. Este comportamiento puede contribuir a ataques de tipo XSS contra visitantes de archivos de lista, porque una respuesta HTTP desde un servidor web de archivo puede carecer de un tipo MIME, y un navegador web puede realizar rastreo del MIME, concluir que el tipo MIME deber\u00eda haber sido text/html, y ejecutar c\u00f3digo JavaScript."
}
],
"id": "CVE-2020-12137",
"lastModified": "2024-11-21T04:59:19.407",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-04-24T13:15:11.780",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00047.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00063.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2020/04/24/3"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00002.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6YCMGTTOXXCVM4O6CYZLTZDX6YLYORNF/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4COSBBEMJYLV7WSW5QTUJUOFJFK47KK/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4348-1/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4664"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2020/02/24/2"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2020/02/24/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00047.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00063.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2020/04/24/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6YCMGTTOXXCVM4O6CYZLTZDX6YLYORNF/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4COSBBEMJYLV7WSW5QTUJUOFJFK47KK/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4348-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4664"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2020/02/24/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2020/02/24/3"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
RHSA-2020:4667
Vulnerability from csaf_redhat
Published
2020-11-04 01:27
Modified
2025-09-25 12:25
Summary
Red Hat Security Advisory: mailman:2.1 security and bug fix update
Notes
Topic
An update for the mailman:2.1 module is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Mailman is a program used to help manage e-mail discussion lists.
Security Fix(es):
* mailman: XSS via file attachments in list archives (CVE-2020-12137)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.3 Release Notes linked from the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the mailman:2.1 module is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Mailman is a program used to help manage e-mail discussion lists.\n\nSecurity Fix(es):\n\n* mailman: XSS via file attachments in list archives (CVE-2020-12137)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 8.3 Release Notes linked from the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:4667",
"url": "https://access.redhat.com/errata/RHSA-2020:4667"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/"
},
{
"category": "external",
"summary": "1683399",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1683399"
},
{
"category": "external",
"summary": "1780100",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1780100"
},
{
"category": "external",
"summary": "1805954",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1805954"
},
{
"category": "external",
"summary": "1830007",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1830007"
},
{
"category": "external",
"summary": "1837218",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1837218"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_4667.json"
}
],
"title": "Red Hat Security Advisory: mailman:2.1 security and bug fix update",
"tracking": {
"current_release_date": "2025-09-25T12:25:37+00:00",
"generator": {
"date": "2025-09-25T12:25:37+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.8"
}
},
"id": "RHSA-2020:4667",
"initial_release_date": "2020-11-04T01:27:47+00:00",
"revision_history": [
{
"date": "2020-11-04T01:27:47+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-11-04T01:27:47+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-09-25T12:25:37+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:8::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"product": {
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm (mailman:2.1)",
"product_id": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=aarch64\u0026epoch=3\u0026rpmmod=mailman:2.1:8030020200601095048:c307c522"
}
}
},
{
"category": "product_version",
"name": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"product": {
"name": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm (mailman:2.1)",
"product_id": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debuginfo@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=aarch64\u0026epoch=3\u0026rpmmod=mailman:2.1:8030020200601095048:c307c522"
}
}
},
{
"category": "product_version",
"name": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"product": {
"name": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm (mailman:2.1)",
"product_id": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debugsource@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=aarch64\u0026epoch=3\u0026rpmmod=mailman:2.1:8030020200601095048:c307c522"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.src.rpm-mailman:2.1",
"product": {
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.src.rpm (mailman:2.1)",
"product_id": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.src.rpm-mailman:2.1",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=src\u0026epoch=3\u0026rpmmod=mailman:2.1:8030020200601095048:c307c522"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"product": {
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm (mailman:2.1)",
"product_id": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=ppc64le\u0026epoch=3\u0026rpmmod=mailman:2.1:8030020200601095048:c307c522"
}
}
},
{
"category": "product_version",
"name": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"product": {
"name": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm (mailman:2.1)",
"product_id": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debuginfo@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=ppc64le\u0026epoch=3\u0026rpmmod=mailman:2.1:8030020200601095048:c307c522"
}
}
},
{
"category": "product_version",
"name": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"product": {
"name": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm (mailman:2.1)",
"product_id": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debugsource@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=ppc64le\u0026epoch=3\u0026rpmmod=mailman:2.1:8030020200601095048:c307c522"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"product": {
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm (mailman:2.1)",
"product_id": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=s390x\u0026epoch=3\u0026rpmmod=mailman:2.1:8030020200601095048:c307c522"
}
}
},
{
"category": "product_version",
"name": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"product": {
"name": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm (mailman:2.1)",
"product_id": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debuginfo@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=s390x\u0026epoch=3\u0026rpmmod=mailman:2.1:8030020200601095048:c307c522"
}
}
},
{
"category": "product_version",
"name": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"product": {
"name": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm (mailman:2.1)",
"product_id": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debugsource@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=s390x\u0026epoch=3\u0026rpmmod=mailman:2.1:8030020200601095048:c307c522"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"product": {
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm (mailman:2.1)",
"product_id": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=x86_64\u0026epoch=3\u0026rpmmod=mailman:2.1:8030020200601095048:c307c522"
}
}
},
{
"category": "product_version",
"name": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"product": {
"name": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm (mailman:2.1)",
"product_id": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debuginfo@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=x86_64\u0026epoch=3\u0026rpmmod=mailman:2.1:8030020200601095048:c307c522"
}
}
},
{
"category": "product_version",
"name": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"product": {
"name": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm (mailman:2.1)",
"product_id": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debugsource@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=x86_64\u0026epoch=3\u0026rpmmod=mailman:2.1:8030020200601095048:c307c522"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm (mailman:2.1) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1"
},
"product_reference": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"relates_to_product_reference": "AppStream-8.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm (mailman:2.1) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1"
},
"product_reference": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"relates_to_product_reference": "AppStream-8.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm (mailman:2.1) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1"
},
"product_reference": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"relates_to_product_reference": "AppStream-8.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.src.rpm (mailman:2.1) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.src.rpm-mailman:2.1"
},
"product_reference": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.src.rpm-mailman:2.1",
"relates_to_product_reference": "AppStream-8.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm (mailman:2.1) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1"
},
"product_reference": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"relates_to_product_reference": "AppStream-8.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm (mailman:2.1) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1"
},
"product_reference": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"relates_to_product_reference": "AppStream-8.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm (mailman:2.1) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1"
},
"product_reference": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"relates_to_product_reference": "AppStream-8.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm (mailman:2.1) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1"
},
"product_reference": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"relates_to_product_reference": "AppStream-8.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm (mailman:2.1) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1"
},
"product_reference": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"relates_to_product_reference": "AppStream-8.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm (mailman:2.1) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1"
},
"product_reference": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"relates_to_product_reference": "AppStream-8.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm (mailman:2.1) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1"
},
"product_reference": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"relates_to_product_reference": "AppStream-8.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm (mailman:2.1) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1"
},
"product_reference": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"relates_to_product_reference": "AppStream-8.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm (mailman:2.1) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1"
},
"product_reference": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"relates_to_product_reference": "AppStream-8.3.0.GA"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-12137",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1830007"
}
],
"notes": [
{
"category": "description",
"text": "GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mailman: XSS via file attachments in list archives",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.src.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-12137"
},
{
"category": "external",
"summary": "RHBZ#1830007",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1830007"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-12137",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-12137"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-12137",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12137"
}
],
"release_date": "2020-02-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-11-04T01:27:47+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.src.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:4667"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.src.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "mailman: XSS via file attachments in list archives"
}
]
}
rhsa-2020_4667
Vulnerability from csaf_redhat
Published
2020-11-04 01:27
Modified
2024-11-22 15:01
Summary
Red Hat Security Advisory: mailman:2.1 security and bug fix update
Notes
Topic
An update for the mailman:2.1 module is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Mailman is a program used to help manage e-mail discussion lists.
Security Fix(es):
* mailman: XSS via file attachments in list archives (CVE-2020-12137)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.3 Release Notes linked from the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the mailman:2.1 module is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Mailman is a program used to help manage e-mail discussion lists.\n\nSecurity Fix(es):\n\n* mailman: XSS via file attachments in list archives (CVE-2020-12137)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 8.3 Release Notes linked from the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:4667",
"url": "https://access.redhat.com/errata/RHSA-2020:4667"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/"
},
{
"category": "external",
"summary": "1683399",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1683399"
},
{
"category": "external",
"summary": "1780100",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1780100"
},
{
"category": "external",
"summary": "1805954",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1805954"
},
{
"category": "external",
"summary": "1830007",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1830007"
},
{
"category": "external",
"summary": "1837218",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1837218"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_4667.json"
}
],
"title": "Red Hat Security Advisory: mailman:2.1 security and bug fix update",
"tracking": {
"current_release_date": "2024-11-22T15:01:54+00:00",
"generator": {
"date": "2024-11-22T15:01:54+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2020:4667",
"initial_release_date": "2020-11-04T01:27:47+00:00",
"revision_history": [
{
"date": "2020-11-04T01:27:47+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-11-04T01:27:47+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T15:01:54+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:8::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman:2.1:8030020200601095048:c307c522",
"product": {
"name": "mailman:2.1:8030020200601095048:c307c522",
"product_id": "mailman:2.1:8030020200601095048:c307c522",
"product_identification_helper": {
"purl": "pkg:rpmmod/redhat/mailman@2.1:8030020200601095048:c307c522"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64",
"product": {
"name": "mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64",
"product_id": "mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=aarch64\u0026epoch=3"
}
}
},
{
"category": "product_version",
"name": "mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64",
"product": {
"name": "mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64",
"product_id": "mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debuginfo@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=aarch64\u0026epoch=3"
}
}
},
{
"category": "product_version",
"name": "mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64",
"product": {
"name": "mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64",
"product_id": "mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debugsource@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=aarch64\u0026epoch=3"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.src",
"product": {
"name": "mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.src",
"product_id": "mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=src\u0026epoch=3"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le",
"product": {
"name": "mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le",
"product_id": "mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=ppc64le\u0026epoch=3"
}
}
},
{
"category": "product_version",
"name": "mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le",
"product": {
"name": "mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le",
"product_id": "mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debuginfo@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=ppc64le\u0026epoch=3"
}
}
},
{
"category": "product_version",
"name": "mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le",
"product": {
"name": "mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le",
"product_id": "mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debugsource@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=ppc64le\u0026epoch=3"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x",
"product": {
"name": "mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x",
"product_id": "mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=s390x\u0026epoch=3"
}
}
},
{
"category": "product_version",
"name": "mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x",
"product": {
"name": "mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x",
"product_id": "mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debuginfo@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=s390x\u0026epoch=3"
}
}
},
{
"category": "product_version",
"name": "mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x",
"product": {
"name": "mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x",
"product_id": "mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debugsource@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=s390x\u0026epoch=3"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64",
"product": {
"name": "mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64",
"product_id": "mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=x86_64\u0026epoch=3"
}
}
},
{
"category": "product_version",
"name": "mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64",
"product": {
"name": "mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64",
"product_id": "mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debuginfo@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=x86_64\u0026epoch=3"
}
}
},
{
"category": "product_version",
"name": "mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64",
"product": {
"name": "mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64",
"product_id": "mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debugsource@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=x86_64\u0026epoch=3"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman:2.1:8030020200601095048:c307c522 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522"
},
"product_reference": "mailman:2.1:8030020200601095048:c307c522",
"relates_to_product_reference": "AppStream-8.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64 as a component of mailman:2.1:8030020200601095048:c307c522 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64"
},
"product_reference": "mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64",
"relates_to_product_reference": "AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le as a component of mailman:2.1:8030020200601095048:c307c522 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le"
},
"product_reference": "mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le",
"relates_to_product_reference": "AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x as a component of mailman:2.1:8030020200601095048:c307c522 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x"
},
"product_reference": "mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x",
"relates_to_product_reference": "AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.src as a component of mailman:2.1:8030020200601095048:c307c522 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.src"
},
"product_reference": "mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.src",
"relates_to_product_reference": "AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64 as a component of mailman:2.1:8030020200601095048:c307c522 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64"
},
"product_reference": "mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64",
"relates_to_product_reference": "AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64 as a component of mailman:2.1:8030020200601095048:c307c522 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64"
},
"product_reference": "mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64",
"relates_to_product_reference": "AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le as a component of mailman:2.1:8030020200601095048:c307c522 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le"
},
"product_reference": "mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le",
"relates_to_product_reference": "AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x as a component of mailman:2.1:8030020200601095048:c307c522 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x"
},
"product_reference": "mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x",
"relates_to_product_reference": "AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64 as a component of mailman:2.1:8030020200601095048:c307c522 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64"
},
"product_reference": "mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64",
"relates_to_product_reference": "AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64 as a component of mailman:2.1:8030020200601095048:c307c522 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64"
},
"product_reference": "mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64",
"relates_to_product_reference": "AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le as a component of mailman:2.1:8030020200601095048:c307c522 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le"
},
"product_reference": "mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le",
"relates_to_product_reference": "AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x as a component of mailman:2.1:8030020200601095048:c307c522 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x"
},
"product_reference": "mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x",
"relates_to_product_reference": "AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64 as a component of mailman:2.1:8030020200601095048:c307c522 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64"
},
"product_reference": "mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64",
"relates_to_product_reference": "AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-12137",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1830007"
}
],
"notes": [
{
"category": "description",
"text": "GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mailman: XSS via file attachments in list archives",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.src",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-12137"
},
{
"category": "external",
"summary": "RHBZ#1830007",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1830007"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-12137",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-12137"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-12137",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12137"
}
],
"release_date": "2020-02-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-11-04T01:27:47+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.src",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:4667"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.src",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debuginfo-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x",
"AppStream-8.3.0.GA:mailman:2.1:8030020200601095048:c307c522:mailman-debugsource-3:2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "mailman: XSS via file attachments in list archives"
}
]
}
rhsa-2020:4667
Vulnerability from csaf_redhat
Published
2020-11-04 01:27
Modified
2025-09-25 12:25
Summary
Red Hat Security Advisory: mailman:2.1 security and bug fix update
Notes
Topic
An update for the mailman:2.1 module is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Mailman is a program used to help manage e-mail discussion lists.
Security Fix(es):
* mailman: XSS via file attachments in list archives (CVE-2020-12137)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.3 Release Notes linked from the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the mailman:2.1 module is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Mailman is a program used to help manage e-mail discussion lists.\n\nSecurity Fix(es):\n\n* mailman: XSS via file attachments in list archives (CVE-2020-12137)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 8.3 Release Notes linked from the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:4667",
"url": "https://access.redhat.com/errata/RHSA-2020:4667"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/"
},
{
"category": "external",
"summary": "1683399",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1683399"
},
{
"category": "external",
"summary": "1780100",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1780100"
},
{
"category": "external",
"summary": "1805954",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1805954"
},
{
"category": "external",
"summary": "1830007",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1830007"
},
{
"category": "external",
"summary": "1837218",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1837218"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_4667.json"
}
],
"title": "Red Hat Security Advisory: mailman:2.1 security and bug fix update",
"tracking": {
"current_release_date": "2025-09-25T12:25:37+00:00",
"generator": {
"date": "2025-09-25T12:25:37+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.8"
}
},
"id": "RHSA-2020:4667",
"initial_release_date": "2020-11-04T01:27:47+00:00",
"revision_history": [
{
"date": "2020-11-04T01:27:47+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-11-04T01:27:47+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-09-25T12:25:37+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:8::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"product": {
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm (mailman:2.1)",
"product_id": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=aarch64\u0026epoch=3\u0026rpmmod=mailman:2.1:8030020200601095048:c307c522"
}
}
},
{
"category": "product_version",
"name": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"product": {
"name": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm (mailman:2.1)",
"product_id": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debuginfo@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=aarch64\u0026epoch=3\u0026rpmmod=mailman:2.1:8030020200601095048:c307c522"
}
}
},
{
"category": "product_version",
"name": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"product": {
"name": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm (mailman:2.1)",
"product_id": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debugsource@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=aarch64\u0026epoch=3\u0026rpmmod=mailman:2.1:8030020200601095048:c307c522"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.src.rpm-mailman:2.1",
"product": {
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.src.rpm (mailman:2.1)",
"product_id": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.src.rpm-mailman:2.1",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=src\u0026epoch=3\u0026rpmmod=mailman:2.1:8030020200601095048:c307c522"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"product": {
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm (mailman:2.1)",
"product_id": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=ppc64le\u0026epoch=3\u0026rpmmod=mailman:2.1:8030020200601095048:c307c522"
}
}
},
{
"category": "product_version",
"name": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"product": {
"name": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm (mailman:2.1)",
"product_id": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debuginfo@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=ppc64le\u0026epoch=3\u0026rpmmod=mailman:2.1:8030020200601095048:c307c522"
}
}
},
{
"category": "product_version",
"name": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"product": {
"name": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm (mailman:2.1)",
"product_id": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debugsource@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=ppc64le\u0026epoch=3\u0026rpmmod=mailman:2.1:8030020200601095048:c307c522"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"product": {
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm (mailman:2.1)",
"product_id": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=s390x\u0026epoch=3\u0026rpmmod=mailman:2.1:8030020200601095048:c307c522"
}
}
},
{
"category": "product_version",
"name": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"product": {
"name": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm (mailman:2.1)",
"product_id": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debuginfo@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=s390x\u0026epoch=3\u0026rpmmod=mailman:2.1:8030020200601095048:c307c522"
}
}
},
{
"category": "product_version",
"name": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"product": {
"name": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm (mailman:2.1)",
"product_id": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debugsource@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=s390x\u0026epoch=3\u0026rpmmod=mailman:2.1:8030020200601095048:c307c522"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"product": {
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm (mailman:2.1)",
"product_id": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=x86_64\u0026epoch=3\u0026rpmmod=mailman:2.1:8030020200601095048:c307c522"
}
}
},
{
"category": "product_version",
"name": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"product": {
"name": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm (mailman:2.1)",
"product_id": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debuginfo@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=x86_64\u0026epoch=3\u0026rpmmod=mailman:2.1:8030020200601095048:c307c522"
}
}
},
{
"category": "product_version",
"name": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"product": {
"name": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm (mailman:2.1)",
"product_id": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mailman-debugsource@2.1.29-10.module%2Bel8.3.0%2B6860%2B8e47d84b?arch=x86_64\u0026epoch=3\u0026rpmmod=mailman:2.1:8030020200601095048:c307c522"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm (mailman:2.1) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1"
},
"product_reference": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"relates_to_product_reference": "AppStream-8.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm (mailman:2.1) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1"
},
"product_reference": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"relates_to_product_reference": "AppStream-8.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm (mailman:2.1) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1"
},
"product_reference": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"relates_to_product_reference": "AppStream-8.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.src.rpm (mailman:2.1) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.src.rpm-mailman:2.1"
},
"product_reference": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.src.rpm-mailman:2.1",
"relates_to_product_reference": "AppStream-8.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm (mailman:2.1) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1"
},
"product_reference": "mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"relates_to_product_reference": "AppStream-8.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm (mailman:2.1) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1"
},
"product_reference": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"relates_to_product_reference": "AppStream-8.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm (mailman:2.1) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1"
},
"product_reference": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"relates_to_product_reference": "AppStream-8.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm (mailman:2.1) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1"
},
"product_reference": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"relates_to_product_reference": "AppStream-8.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm (mailman:2.1) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1"
},
"product_reference": "mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"relates_to_product_reference": "AppStream-8.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm (mailman:2.1) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1"
},
"product_reference": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"relates_to_product_reference": "AppStream-8.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm (mailman:2.1) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1"
},
"product_reference": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"relates_to_product_reference": "AppStream-8.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm (mailman:2.1) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1"
},
"product_reference": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"relates_to_product_reference": "AppStream-8.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm (mailman:2.1) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1"
},
"product_reference": "mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"relates_to_product_reference": "AppStream-8.3.0.GA"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-12137",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1830007"
}
],
"notes": [
{
"category": "description",
"text": "GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mailman: XSS via file attachments in list archives",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.src.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-12137"
},
{
"category": "external",
"summary": "RHBZ#1830007",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1830007"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-12137",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-12137"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-12137",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12137"
}
],
"release_date": "2020-02-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-11-04T01:27:47+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.src.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:4667"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.src.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debuginfo-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.aarch64.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.ppc64le.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.s390x.rpm-mailman:2.1",
"AppStream-8.3.0.GA:mailman-debugsource-2.1.29-10.module+el8.3.0+6860+8e47d84b.x86_64.rpm-mailman:2.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "mailman: XSS via file attachments in list archives"
}
]
}
gsd-2020-12137
Vulnerability from gsd
Modified
2023-12-13 01:21
Details
GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2020-12137",
"description": "GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.",
"id": "GSD-2020-12137",
"references": [
"https://www.suse.com/security/cve/CVE-2020-12137.html",
"https://www.debian.org/security/2020/dsa-4664",
"https://access.redhat.com/errata/RHSA-2020:4667",
"https://ubuntu.com/security/CVE-2020-12137",
"https://advisories.mageia.org/CVE-2020-12137.html",
"https://linux.oracle.com/cve/CVE-2020-12137.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2020-12137"
],
"details": "GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.",
"id": "GSD-2020-12137",
"modified": "2023-12-13T01:21:49.456567Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12137",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.openwall.com/lists/oss-security/2020/02/24/2",
"refsource": "MISC",
"url": "https://www.openwall.com/lists/oss-security/2020/02/24/2"
},
{
"name": "https://www.openwall.com/lists/oss-security/2020/02/24/3",
"refsource": "MISC",
"url": "https://www.openwall.com/lists/oss-security/2020/02/24/3"
},
{
"name": "http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS",
"refsource": "MISC",
"url": "http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS"
},
{
"name": "[oss-security] 20200424 Re: mailman 2.x: XSS via file attachments in list archives",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2020/04/24/3"
},
{
"name": "DSA-4664",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4664"
},
{
"name": "[debian-lts-announce] 20200503 [SECURITY] [DLA 2200-1] mailman security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00002.html"
},
{
"name": "USN-4348-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4348-1/"
},
{
"name": "FEDORA-2020-69f2f1d987",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G4COSBBEMJYLV7WSW5QTUJUOFJFK47KK/"
},
{
"name": "FEDORA-2020-20b748e81e",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6YCMGTTOXXCVM4O6CYZLTZDX6YLYORNF/"
},
{
"name": "openSUSE-SU-2020:1707",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00047.html"
},
{
"name": "openSUSE-SU-2020:1752",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00063.html"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:gnu:mailman:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.1.30",
"versionStartIncluding": "2.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:opensuse:backports_sle:15.0:sp2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12137"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.openwall.com/lists/oss-security/2020/02/24/3",
"refsource": "MISC",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2020/02/24/3"
},
{
"name": "https://www.openwall.com/lists/oss-security/2020/02/24/2",
"refsource": "MISC",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2020/02/24/2"
},
{
"name": "http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS"
},
{
"name": "[oss-security] 20200424 Re: mailman 2.x: XSS via file attachments in list archives",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2020/04/24/3"
},
{
"name": "DSA-4664",
"refsource": "DEBIAN",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4664"
},
{
"name": "[debian-lts-announce] 20200503 [SECURITY] [DLA 2200-1] mailman security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00002.html"
},
{
"name": "USN-4348-1",
"refsource": "UBUNTU",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4348-1/"
},
{
"name": "FEDORA-2020-69f2f1d987",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G4COSBBEMJYLV7WSW5QTUJUOFJFK47KK/"
},
{
"name": "FEDORA-2020-20b748e81e",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6YCMGTTOXXCVM4O6CYZLTZDX6YLYORNF/"
},
{
"name": "openSUSE-SU-2020:1707",
"refsource": "SUSE",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00047.html"
},
{
"name": "openSUSE-SU-2020:1752",
"refsource": "SUSE",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00063.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7
}
},
"lastModifiedDate": "2022-11-16T03:14Z",
"publishedDate": "2020-04-24T13:15Z"
}
}
}
suse-su-2020:14356-1
Vulnerability from csaf_suse
Published
2020-05-05 07:49
Modified
2020-05-05 07:49
Summary
Security update for mailman
Notes
Title of the patch
Security update for mailman
Description of the patch
This update for mailman fixes the following issues:
Security issue fixed:
- CVE-2020-12137: Fixed a XSS vulnerability caused by MIME type confusion (bsc#1170558).
Non-security issue fixed:
- Fixed rights and ownership on /var/lib/mailman/archives (bsc#1167068).
Patchnames
sleposp3-mailman-14356,slessp4-mailman-14356
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for mailman",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for mailman fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2020-12137: Fixed a XSS vulnerability caused by MIME type confusion (bsc#1170558).\n\nNon-security issue fixed:\n\n- Fixed rights and ownership on /var/lib/mailman/archives (bsc#1167068).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "sleposp3-mailman-14356,slessp4-mailman-14356",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2020_14356-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2020:14356-1",
"url": "https://www.suse.com/support/update/announcement/2020/suse-su-202014356-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2020:14356-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2020-May/006780.html"
},
{
"category": "self",
"summary": "SUSE Bug 1167068",
"url": "https://bugzilla.suse.com/1167068"
},
{
"category": "self",
"summary": "SUSE Bug 1170558",
"url": "https://bugzilla.suse.com/1170558"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-12137 page",
"url": "https://www.suse.com/security/cve/CVE-2020-12137/"
}
],
"title": "Security update for mailman",
"tracking": {
"current_release_date": "2020-05-05T07:49:37Z",
"generator": {
"date": "2020-05-05T07:49:37Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2020:14356-1",
"initial_release_date": "2020-05-05T07:49:37Z",
"revision_history": [
{
"date": "2020-05-05T07:49:37Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.15-9.6.20.1.i586",
"product": {
"name": "mailman-2.1.15-9.6.20.1.i586",
"product_id": "mailman-2.1.15-9.6.20.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.15-9.6.20.1.ppc64",
"product": {
"name": "mailman-2.1.15-9.6.20.1.ppc64",
"product_id": "mailman-2.1.15-9.6.20.1.ppc64"
}
}
],
"category": "architecture",
"name": "ppc64"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.15-9.6.20.1.s390x",
"product": {
"name": "mailman-2.1.15-9.6.20.1.s390x",
"product_id": "mailman-2.1.15-9.6.20.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.15-9.6.20.1.x86_64",
"product": {
"name": "mailman-2.1.15-9.6.20.1.x86_64",
"product_id": "mailman-2.1.15-9.6.20.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Point of Sale 11 SP3",
"product": {
"name": "SUSE Linux Enterprise Point of Sale 11 SP3",
"product_id": "SUSE Linux Enterprise Point of Sale 11 SP3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-pos:11:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 11 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 11 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 11 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_sles:11:sp4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.15-9.6.20.1.i586 as component of SUSE Linux Enterprise Point of Sale 11 SP3",
"product_id": "SUSE Linux Enterprise Point of Sale 11 SP3:mailman-2.1.15-9.6.20.1.i586"
},
"product_reference": "mailman-2.1.15-9.6.20.1.i586",
"relates_to_product_reference": "SUSE Linux Enterprise Point of Sale 11 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.15-9.6.20.1.i586 as component of SUSE Linux Enterprise Server 11 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 11 SP4-LTSS:mailman-2.1.15-9.6.20.1.i586"
},
"product_reference": "mailman-2.1.15-9.6.20.1.i586",
"relates_to_product_reference": "SUSE Linux Enterprise Server 11 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.15-9.6.20.1.ppc64 as component of SUSE Linux Enterprise Server 11 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 11 SP4-LTSS:mailman-2.1.15-9.6.20.1.ppc64"
},
"product_reference": "mailman-2.1.15-9.6.20.1.ppc64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 11 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.15-9.6.20.1.s390x as component of SUSE Linux Enterprise Server 11 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 11 SP4-LTSS:mailman-2.1.15-9.6.20.1.s390x"
},
"product_reference": "mailman-2.1.15-9.6.20.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 11 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.15-9.6.20.1.x86_64 as component of SUSE Linux Enterprise Server 11 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 11 SP4-LTSS:mailman-2.1.15-9.6.20.1.x86_64"
},
"product_reference": "mailman-2.1.15-9.6.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 11 SP4-LTSS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-12137",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-12137"
}
],
"notes": [
{
"category": "general",
"text": "GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Point of Sale 11 SP3:mailman-2.1.15-9.6.20.1.i586",
"SUSE Linux Enterprise Server 11 SP4-LTSS:mailman-2.1.15-9.6.20.1.i586",
"SUSE Linux Enterprise Server 11 SP4-LTSS:mailman-2.1.15-9.6.20.1.ppc64",
"SUSE Linux Enterprise Server 11 SP4-LTSS:mailman-2.1.15-9.6.20.1.s390x",
"SUSE Linux Enterprise Server 11 SP4-LTSS:mailman-2.1.15-9.6.20.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-12137",
"url": "https://www.suse.com/security/cve/CVE-2020-12137"
},
{
"category": "external",
"summary": "SUSE Bug 1170558 for CVE-2020-12137",
"url": "https://bugzilla.suse.com/1170558"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Point of Sale 11 SP3:mailman-2.1.15-9.6.20.1.i586",
"SUSE Linux Enterprise Server 11 SP4-LTSS:mailman-2.1.15-9.6.20.1.i586",
"SUSE Linux Enterprise Server 11 SP4-LTSS:mailman-2.1.15-9.6.20.1.ppc64",
"SUSE Linux Enterprise Server 11 SP4-LTSS:mailman-2.1.15-9.6.20.1.s390x",
"SUSE Linux Enterprise Server 11 SP4-LTSS:mailman-2.1.15-9.6.20.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Point of Sale 11 SP3:mailman-2.1.15-9.6.20.1.i586",
"SUSE Linux Enterprise Server 11 SP4-LTSS:mailman-2.1.15-9.6.20.1.i586",
"SUSE Linux Enterprise Server 11 SP4-LTSS:mailman-2.1.15-9.6.20.1.ppc64",
"SUSE Linux Enterprise Server 11 SP4-LTSS:mailman-2.1.15-9.6.20.1.s390x",
"SUSE Linux Enterprise Server 11 SP4-LTSS:mailman-2.1.15-9.6.20.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-05-05T07:49:37Z",
"details": "moderate"
}
],
"title": "CVE-2020-12137"
}
]
}
suse-su-2020:1301-1
Vulnerability from csaf_suse
Published
2020-05-18 05:47
Modified
2020-05-18 05:47
Summary
Security update for mailman
Notes
Title of the patch
Security update for mailman
Description of the patch
This update for mailman fixes the following issues:
Security issue fixed:
- CVE-2020-12108: Fixed a content injection bug (bsc#1171363).
- CVE-2020-12137: Fixed a XSS vulnerability caused by MIME type confusion (bsc#1170558).
Non-security issue fixed:
- Fixed rights and ownership on /var/lib/mailman/archives (bsc#1167068).
- Don't default to invalid hosts for DEFAULT_EMAIL_HOST (bsc#682920).
Patchnames
HPE-Helion-OpenStack-8-2020-1301,SUSE-2020-1301,SUSE-OpenStack-Cloud-7-2020-1301,SUSE-OpenStack-Cloud-8-2020-1301,SUSE-OpenStack-Cloud-Crowbar-8-2020-1301,SUSE-SLE-SAP-12-SP1-2020-1301,SUSE-SLE-SAP-12-SP2-2020-1301,SUSE-SLE-SAP-12-SP3-2020-1301,SUSE-SLE-SERVER-12-SP1-2020-1301,SUSE-SLE-SERVER-12-SP2-2020-1301,SUSE-SLE-SERVER-12-SP2-BCL-2020-1301,SUSE-SLE-SERVER-12-SP3-2020-1301,SUSE-SLE-SERVER-12-SP3-BCL-2020-1301,SUSE-SLE-SERVER-12-SP4-2020-1301,SUSE-SLE-SERVER-12-SP5-2020-1301,SUSE-Storage-5-2020-1301
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for mailman",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for mailman fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2020-12108: Fixed a content injection bug (bsc#1171363).\n- CVE-2020-12137: Fixed a XSS vulnerability caused by MIME type confusion (bsc#1170558).\n\nNon-security issue fixed:\n\n- Fixed rights and ownership on /var/lib/mailman/archives (bsc#1167068).\n- Don\u0027t default to invalid hosts for DEFAULT_EMAIL_HOST (bsc#682920).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "HPE-Helion-OpenStack-8-2020-1301,SUSE-2020-1301,SUSE-OpenStack-Cloud-7-2020-1301,SUSE-OpenStack-Cloud-8-2020-1301,SUSE-OpenStack-Cloud-Crowbar-8-2020-1301,SUSE-SLE-SAP-12-SP1-2020-1301,SUSE-SLE-SAP-12-SP2-2020-1301,SUSE-SLE-SAP-12-SP3-2020-1301,SUSE-SLE-SERVER-12-SP1-2020-1301,SUSE-SLE-SERVER-12-SP2-2020-1301,SUSE-SLE-SERVER-12-SP2-BCL-2020-1301,SUSE-SLE-SERVER-12-SP3-2020-1301,SUSE-SLE-SERVER-12-SP3-BCL-2020-1301,SUSE-SLE-SERVER-12-SP4-2020-1301,SUSE-SLE-SERVER-12-SP5-2020-1301,SUSE-Storage-5-2020-1301",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2020_1301-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2020:1301-1",
"url": "https://www.suse.com/support/update/announcement/2020/suse-su-20201301-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2020:1301-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2020-May/006830.html"
},
{
"category": "self",
"summary": "SUSE Bug 1167068",
"url": "https://bugzilla.suse.com/1167068"
},
{
"category": "self",
"summary": "SUSE Bug 1170558",
"url": "https://bugzilla.suse.com/1170558"
},
{
"category": "self",
"summary": "SUSE Bug 1171363",
"url": "https://bugzilla.suse.com/1171363"
},
{
"category": "self",
"summary": "SUSE Bug 682920",
"url": "https://bugzilla.suse.com/682920"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-12108 page",
"url": "https://www.suse.com/security/cve/CVE-2020-12108/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-12137 page",
"url": "https://www.suse.com/security/cve/CVE-2020-12137/"
}
],
"title": "Security update for mailman",
"tracking": {
"current_release_date": "2020-05-18T05:47:04Z",
"generator": {
"date": "2020-05-18T05:47:04Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2020:1301-1",
"initial_release_date": "2020-05-18T05:47:04Z",
"revision_history": [
{
"date": "2020-05-18T05:47:04Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.17-3.20.1.aarch64",
"product": {
"name": "mailman-2.1.17-3.20.1.aarch64",
"product_id": "mailman-2.1.17-3.20.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.17-3.20.1.i586",
"product": {
"name": "mailman-2.1.17-3.20.1.i586",
"product_id": "mailman-2.1.17-3.20.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.17-3.20.1.ppc64le",
"product": {
"name": "mailman-2.1.17-3.20.1.ppc64le",
"product_id": "mailman-2.1.17-3.20.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.17-3.20.1.s390",
"product": {
"name": "mailman-2.1.17-3.20.1.s390",
"product_id": "mailman-2.1.17-3.20.1.s390"
}
}
],
"category": "architecture",
"name": "s390"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.17-3.20.1.s390x",
"product": {
"name": "mailman-2.1.17-3.20.1.s390x",
"product_id": "mailman-2.1.17-3.20.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.17-3.20.1.x86_64",
"product": {
"name": "mailman-2.1.17-3.20.1.x86_64",
"product_id": "mailman-2.1.17-3.20.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "HPE Helion OpenStack 8",
"product": {
"name": "HPE Helion OpenStack 8",
"product_id": "HPE Helion OpenStack 8",
"product_identification_helper": {
"cpe": "cpe:/o:suse:hpe-helion-openstack:8"
}
}
},
{
"category": "product_name",
"name": "SUSE OpenStack Cloud 7",
"product": {
"name": "SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-openstack-cloud:7"
}
}
},
{
"category": "product_name",
"name": "SUSE OpenStack Cloud 8",
"product": {
"name": "SUSE OpenStack Cloud 8",
"product_id": "SUSE OpenStack Cloud 8",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-openstack-cloud:8"
}
}
},
{
"category": "product_name",
"name": "SUSE OpenStack Cloud Crowbar 8",
"product": {
"name": "SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-openstack-cloud-crowbar:8"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 12 SP1",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 12 SP1",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:12:sp1"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 12 SP2",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 12 SP2",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP2",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:12:sp2"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 12 SP3",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 12 SP3",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:12:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 12 SP1-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 12 SP1-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP1-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:12:sp1"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 12 SP2-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 12 SP2-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP2-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:12:sp2"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 12 SP2-BCL",
"product": {
"name": "SUSE Linux Enterprise Server 12 SP2-BCL",
"product_id": "SUSE Linux Enterprise Server 12 SP2-BCL",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-bcl:12:sp2"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 12 SP3-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 12 SP3-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP3-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:12:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 12 SP3-BCL",
"product": {
"name": "SUSE Linux Enterprise Server 12 SP3-BCL",
"product_id": "SUSE Linux Enterprise Server 12 SP3-BCL",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-bcl:12:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 12 SP4",
"product": {
"name": "SUSE Linux Enterprise Server 12 SP4",
"product_id": "SUSE Linux Enterprise Server 12 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:12:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 12 SP4",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 12 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:12:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 12 SP5",
"product": {
"name": "SUSE Linux Enterprise Server 12 SP5",
"product_id": "SUSE Linux Enterprise Server 12 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:12:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:12:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Enterprise Storage 5",
"product": {
"name": "SUSE Enterprise Storage 5",
"product_id": "SUSE Enterprise Storage 5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:ses:5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of HPE Helion OpenStack 8",
"product_id": "HPE Helion OpenStack 8:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "HPE Helion OpenStack 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.s390x as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:mailman-2.1.17-3.20.1.s390x"
},
"product_reference": "mailman-2.1.17-3.20.1.s390x",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE OpenStack Cloud 8",
"product_id": "SUSE OpenStack Cloud 8:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12 SP1",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP1:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 12 SP2",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP2:mailman-2.1.17-3.20.1.ppc64le"
},
"product_reference": "mailman-2.1.17-3.20.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12 SP2",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP2:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 12 SP3",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP3:mailman-2.1.17-3.20.1.ppc64le"
},
"product_reference": "mailman-2.1.17-3.20.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12 SP3",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP3:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.ppc64le as component of SUSE Linux Enterprise Server 12 SP1-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.ppc64le"
},
"product_reference": "mailman-2.1.17-3.20.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP1-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.s390x as component of SUSE Linux Enterprise Server 12 SP1-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.s390x"
},
"product_reference": "mailman-2.1.17-3.20.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP1-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE Linux Enterprise Server 12 SP1-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP1-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.ppc64le as component of SUSE Linux Enterprise Server 12 SP2-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.ppc64le"
},
"product_reference": "mailman-2.1.17-3.20.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP2-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.s390x as component of SUSE Linux Enterprise Server 12 SP2-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.s390x"
},
"product_reference": "mailman-2.1.17-3.20.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP2-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE Linux Enterprise Server 12 SP2-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP2-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE Linux Enterprise Server 12 SP2-BCL",
"product_id": "SUSE Linux Enterprise Server 12 SP2-BCL:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP2-BCL"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.ppc64le as component of SUSE Linux Enterprise Server 12 SP3-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.ppc64le"
},
"product_reference": "mailman-2.1.17-3.20.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.s390x as component of SUSE Linux Enterprise Server 12 SP3-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.s390x"
},
"product_reference": "mailman-2.1.17-3.20.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE Linux Enterprise Server 12 SP3-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE Linux Enterprise Server 12 SP3-BCL",
"product_id": "SUSE Linux Enterprise Server 12 SP3-BCL:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP3-BCL"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.ppc64le as component of SUSE Linux Enterprise Server 12 SP4",
"product_id": "SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.ppc64le"
},
"product_reference": "mailman-2.1.17-3.20.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.s390x as component of SUSE Linux Enterprise Server 12 SP4",
"product_id": "SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.s390x"
},
"product_reference": "mailman-2.1.17-3.20.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE Linux Enterprise Server 12 SP4",
"product_id": "SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 12 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.ppc64le"
},
"product_reference": "mailman-2.1.17-3.20.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.s390x as component of SUSE Linux Enterprise Server for SAP Applications 12 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.s390x"
},
"product_reference": "mailman-2.1.17-3.20.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.aarch64 as component of SUSE Linux Enterprise Server 12 SP5",
"product_id": "SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.aarch64"
},
"product_reference": "mailman-2.1.17-3.20.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.ppc64le as component of SUSE Linux Enterprise Server 12 SP5",
"product_id": "SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.ppc64le"
},
"product_reference": "mailman-2.1.17-3.20.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.s390x as component of SUSE Linux Enterprise Server 12 SP5",
"product_id": "SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.s390x"
},
"product_reference": "mailman-2.1.17-3.20.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE Linux Enterprise Server 12 SP5",
"product_id": "SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.aarch64 as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.aarch64"
},
"product_reference": "mailman-2.1.17-3.20.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.ppc64le"
},
"product_reference": "mailman-2.1.17-3.20.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.s390x as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.s390x"
},
"product_reference": "mailman-2.1.17-3.20.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.17-3.20.1.x86_64 as component of SUSE Enterprise Storage 5",
"product_id": "SUSE Enterprise Storage 5:mailman-2.1.17-3.20.1.x86_64"
},
"product_reference": "mailman-2.1.17-3.20.1.x86_64",
"relates_to_product_reference": "SUSE Enterprise Storage 5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-12108",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-12108"
}
],
"notes": [
{
"category": "general",
"text": "/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"HPE Helion OpenStack 8:mailman-2.1.17-3.20.1.x86_64",
"SUSE Enterprise Storage 5:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP2-BCL:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP3-BCL:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.aarch64",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP1:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP2:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP2:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP3:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP3:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.aarch64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud 7:mailman-2.1.17-3.20.1.s390x",
"SUSE OpenStack Cloud 7:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud 8:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:mailman-2.1.17-3.20.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-12108",
"url": "https://www.suse.com/security/cve/CVE-2020-12108"
},
{
"category": "external",
"summary": "SUSE Bug 1171363 for CVE-2020-12108",
"url": "https://bugzilla.suse.com/1171363"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"HPE Helion OpenStack 8:mailman-2.1.17-3.20.1.x86_64",
"SUSE Enterprise Storage 5:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP2-BCL:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP3-BCL:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.aarch64",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP1:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP2:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP2:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP3:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP3:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.aarch64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud 7:mailman-2.1.17-3.20.1.s390x",
"SUSE OpenStack Cloud 7:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud 8:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:mailman-2.1.17-3.20.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"HPE Helion OpenStack 8:mailman-2.1.17-3.20.1.x86_64",
"SUSE Enterprise Storage 5:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP2-BCL:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP3-BCL:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.aarch64",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP1:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP2:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP2:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP3:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP3:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.aarch64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud 7:mailman-2.1.17-3.20.1.s390x",
"SUSE OpenStack Cloud 7:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud 8:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:mailman-2.1.17-3.20.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-05-18T05:47:04Z",
"details": "moderate"
}
],
"title": "CVE-2020-12108"
},
{
"cve": "CVE-2020-12137",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-12137"
}
],
"notes": [
{
"category": "general",
"text": "GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"HPE Helion OpenStack 8:mailman-2.1.17-3.20.1.x86_64",
"SUSE Enterprise Storage 5:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP2-BCL:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP3-BCL:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.aarch64",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP1:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP2:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP2:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP3:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP3:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.aarch64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud 7:mailman-2.1.17-3.20.1.s390x",
"SUSE OpenStack Cloud 7:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud 8:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:mailman-2.1.17-3.20.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-12137",
"url": "https://www.suse.com/security/cve/CVE-2020-12137"
},
{
"category": "external",
"summary": "SUSE Bug 1170558 for CVE-2020-12137",
"url": "https://bugzilla.suse.com/1170558"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"HPE Helion OpenStack 8:mailman-2.1.17-3.20.1.x86_64",
"SUSE Enterprise Storage 5:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP2-BCL:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP3-BCL:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.aarch64",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP1:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP2:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP2:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP3:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP3:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.aarch64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud 7:mailman-2.1.17-3.20.1.s390x",
"SUSE OpenStack Cloud 7:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud 8:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:mailman-2.1.17-3.20.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"HPE Helion OpenStack 8:mailman-2.1.17-3.20.1.x86_64",
"SUSE Enterprise Storage 5:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP1-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP2-BCL:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP2-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP3-BCL:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP3-LTSS:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP4:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.aarch64",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server 12 SP5:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP1:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP2:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP2:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP3:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP3:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP4:mailman-2.1.17-3.20.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.aarch64",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.s390x",
"SUSE Linux Enterprise Server for SAP Applications 12 SP5:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud 7:mailman-2.1.17-3.20.1.s390x",
"SUSE OpenStack Cloud 7:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud 8:mailman-2.1.17-3.20.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:mailman-2.1.17-3.20.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-05-18T05:47:04Z",
"details": "moderate"
}
],
"title": "CVE-2020-12137"
}
]
}
cnvd-2020-31601
Vulnerability from cnvd
Title: GNU Mailman跨站脚本漏洞
Description:
GNU Mailman是GNU计划的一套免费的用于管理电子邮件讨论和电子邮件列表的软件。该软件可与Web项目集成,使用户方便管理邮件订阅帐号,并提供内置归档、自动转发处理、内容过滤和反垃圾过滤器等功能。
GNU Mailman 2.1.30之前的2.x版本中存在跨站脚本漏洞。该漏洞源于WEB应用缺少对客户端数据的正确验证。攻击者可利用该漏洞执行客户端代码。
Severity: 中
Patch Name: GNU Mailman跨站脚本漏洞的补丁
Patch Description:
GNU Mailman是GNU计划的一套免费的用于管理电子邮件讨论和电子邮件列表的软件。该软件可与Web项目集成,使用户方便管理邮件订阅帐号,并提供内置归档、自动转发处理、内容过滤和反垃圾过滤器等功能。
GNU Mailman 2.1.30之前的2.x版本中存在跨站脚本漏洞。该漏洞源于WEB应用缺少对客户端数据的正确验证。攻击者可利用该漏洞执行客户端代码。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description:
目前厂商已发布升级补丁以修复漏洞,详情请关注厂商主页: http://www.gnu.org/
Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-12137
Impacted products
| Name | GNU Mailman 2.*,<2.1.30 |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2020-12137",
"cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-12137"
}
},
"description": "GNU Mailman\u662fGNU\u8ba1\u5212\u7684\u4e00\u5957\u514d\u8d39\u7684\u7528\u4e8e\u7ba1\u7406\u7535\u5b50\u90ae\u4ef6\u8ba8\u8bba\u548c\u7535\u5b50\u90ae\u4ef6\u5217\u8868\u7684\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u53ef\u4e0eWeb\u9879\u76ee\u96c6\u6210\uff0c\u4f7f\u7528\u6237\u65b9\u4fbf\u7ba1\u7406\u90ae\u4ef6\u8ba2\u9605\u5e10\u53f7\uff0c\u5e76\u63d0\u4f9b\u5185\u7f6e\u5f52\u6863\u3001\u81ea\u52a8\u8f6c\u53d1\u5904\u7406\u3001\u5185\u5bb9\u8fc7\u6ee4\u548c\u53cd\u5783\u573e\u8fc7\u6ee4\u5668\u7b49\u529f\u80fd\u3002\n\nGNU Mailman 2.1.30\u4e4b\u524d\u76842.x\u7248\u672c\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8eWEB\u5e94\u7528\u7f3a\u5c11\u5bf9\u5ba2\u6237\u7aef\u6570\u636e\u7684\u6b63\u786e\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u5ba2\u6237\u7aef\u4ee3\u7801\u3002",
"formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttp://www.gnu.org/",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2020-31601",
"openTime": "2020-06-04",
"patchDescription": "GNU Mailman\u662fGNU\u8ba1\u5212\u7684\u4e00\u5957\u514d\u8d39\u7684\u7528\u4e8e\u7ba1\u7406\u7535\u5b50\u90ae\u4ef6\u8ba8\u8bba\u548c\u7535\u5b50\u90ae\u4ef6\u5217\u8868\u7684\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u53ef\u4e0eWeb\u9879\u76ee\u96c6\u6210\uff0c\u4f7f\u7528\u6237\u65b9\u4fbf\u7ba1\u7406\u90ae\u4ef6\u8ba2\u9605\u5e10\u53f7\uff0c\u5e76\u63d0\u4f9b\u5185\u7f6e\u5f52\u6863\u3001\u81ea\u52a8\u8f6c\u53d1\u5904\u7406\u3001\u5185\u5bb9\u8fc7\u6ee4\u548c\u53cd\u5783\u573e\u8fc7\u6ee4\u5668\u7b49\u529f\u80fd\u3002\r\n\r\nGNU Mailman 2.1.30\u4e4b\u524d\u76842.x\u7248\u672c\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8eWEB\u5e94\u7528\u7f3a\u5c11\u5bf9\u5ba2\u6237\u7aef\u6570\u636e\u7684\u6b63\u786e\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u5ba2\u6237\u7aef\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "GNU Mailman\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": "GNU Mailman 2.*\uff0c\u003c2.1.30"
},
"referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-12137",
"serverity": "\u4e2d",
"submitTime": "2020-04-26",
"title": "GNU Mailman\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}
opensuse-su-2020:1752-1
Vulnerability from csaf_opensuse
Published
2020-10-27 09:21
Modified
2020-10-27 09:21
Summary
Recommended update for mailman
Notes
Title of the patch
Recommended update for mailman
Description of the patch
This update for mailman to version 2.1.34 fixes the following issues:
- The fix for lp#1859104 can result in ValueError being thrown
on attempts to subscribe to a list. This is fixed and
extended to apply REFUSE_SECOND_PENDING to unsubscription as
well. (lp#1878458)
- DMARC mitigation no longer misses if the domain name returned
by DNS contains upper case. (lp#1881035)
- A new WARN_MEMBER_OF_SUBSCRIBE setting can be set to No to
prevent mailbombing of a member of a list with private
rosters by repeated subscribe attempts. (lp#1883017)
- Very long filenames for scrubbed attachments are now
truncated. (lp#1884456)
- A content injection vulnerability via the private login page
has been fixed. CVE-2020-15011 (lp#1877379, bsc#1173369)
- A content injection vulnerability via the options login page
has been discovered and reported by Vishal Singh.
CVE-2020-12108 (lp#1873722, bsc#1171363)
- Bounce recognition for a non-compliant Yahoo format is added.
- Archiving workaround for non-ascii in string.lowercase in
some Python packages is added.
- Thanks to Jim Popovitch, there is now
a dmarc_moderation_addresses list setting that can be used to
apply dmarc_moderation_action to mail From: addresses listed
or matching listed regexps. This can be used to modify mail
to addresses that don't accept external mail From:
themselves.
- There is a new MAX_LISTNAME_LENGTH setting. The fix for
lp#1780874 obtains a list of the names of all the all the
lists in the installation in order to determine the maximum
length of a legitimate list name. It does this on every web
access and on sites with a very large number of lists, this
can have performance implications. See the description in
Defaults.py for more information.
- Thanks to Ralf Jung there is now the ability to add text
based captchas (aka textchas) to the listinfo subscribe form.
See the documentation for the new CAPTCHA setting in
Defaults.py for how to enable this. Also note that if you
have custom listinfo.html templates, you will have to add
a <mm-captcha-ui> tag to those templates to make this work.
This feature can be used in combination with or instead of
the Google reCAPTCHA feature added in 2.1.26.
- Thanks to Ralf Hildebrandt the web admin Membership
Management section now has a feature to sync the list's
membership with a list of email addresses as with the
bin/sync_members command.
- There is a new drop_cc list attribute set from
DEFAULT_DROP_CC. This controls the dropping of addresses from
the Cc: header in delivered messages by the duplicate
avoidance process. (lp#1845751)
- There is a new REFUSE_SECOND_PENDING mm_cfg.py setting that
will cause a second request to subscribe to a list when there
is already a pending confirmation for that user. This can be
set to Yes to prevent mailbombing of a third party by
repeatedly posting the subscribe form. (lp#1859104)
- Fixed the confirm CGI to catch a rare TypeError on
simultaneous confirmations of the same token. (lp#1785854)
- Scrubbed application/octet-stream MIME parts will now be
given a .bin extension instead of .obj. CVE-2020-12137
(lp#1886117)
- Added bounce recognition for a non-compliant opensmtpd DSN
with Action: error. (lp#1805137)
- Corrected and augmented some security log messages.
(lp#1810098)
- Implemented use of QRUNNER_SLEEP_TIME for bin/qrunner
--runner=All. (lp#1818205)
- Leading/trailing spaces in provided email addresses for login
to private archives and the user options page are now
ignored. (lp#1818872)
- Fixed the spelling of the --no-restart option for mailmanctl.
- Fixed an issue where certain combinations of charset and
invalid characters in a list's description could produce
a List-ID header without angle brackets. (lp#1831321)
- With the Postfix MTA and virtual domains, mappings for the
site list -bounces and -request addresses in each virtual
domain are now added to data/virtual-mailman (-owner was done
in 2.1.24). (lp#1831777)
- The paths.py module now extends sys.path with the result of
site.getsitepackages() if available. (lp#1838866)
- A bug causing a UnicodeDecodeError in preparing to send the
confirmation request message to a new subscriber has been
fixed. (lp#1851442)
- The SimpleMatch heuristic bounce recognizer has been improved
to not return most invalid email addresses. (lp#1859011)
This update was imported from the openSUSE:Leap:15.2:Update update project.
Patchnames
openSUSE-2020-1752
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Recommended update for mailman",
"title": "Title of the patch"
},
{
"category": "description",
"text": "\nThis update for mailman to version 2.1.34 fixes the following issues:\n\n - The fix for lp#1859104 can result in ValueError being thrown\n on attempts to subscribe to a list. This is fixed and\n extended to apply REFUSE_SECOND_PENDING to unsubscription as\n well. (lp#1878458)\n - DMARC mitigation no longer misses if the domain name returned\n by DNS contains upper case. (lp#1881035)\n - A new WARN_MEMBER_OF_SUBSCRIBE setting can be set to No to\n prevent mailbombing of a member of a list with private\n rosters by repeated subscribe attempts. (lp#1883017)\n - Very long filenames for scrubbed attachments are now\n truncated. (lp#1884456)\n - A content injection vulnerability via the private login page\n has been fixed. CVE-2020-15011 (lp#1877379, bsc#1173369)\n - A content injection vulnerability via the options login page\n has been discovered and reported by Vishal Singh.\n CVE-2020-12108 (lp#1873722, bsc#1171363)\n - Bounce recognition for a non-compliant Yahoo format is added.\n - Archiving workaround for non-ascii in string.lowercase in\n some Python packages is added.\n - Thanks to Jim Popovitch, there is now\n a dmarc_moderation_addresses list setting that can be used to\n apply dmarc_moderation_action to mail From: addresses listed\n or matching listed regexps. This can be used to modify mail\n to addresses that don\u0027t accept external mail From:\n themselves.\n - There is a new MAX_LISTNAME_LENGTH setting. The fix for\n lp#1780874 obtains a list of the names of all the all the\n lists in the installation in order to determine the maximum\n length of a legitimate list name. It does this on every web\n access and on sites with a very large number of lists, this\n can have performance implications. See the description in\n Defaults.py for more information.\n - Thanks to Ralf Jung there is now the ability to add text\n based captchas (aka textchas) to the listinfo subscribe form.\n See the documentation for the new CAPTCHA setting in\n Defaults.py for how to enable this. Also note that if you\n have custom listinfo.html templates, you will have to add\n a \u003cmm-captcha-ui\u003e tag to those templates to make this work.\n This feature can be used in combination with or instead of\n the Google reCAPTCHA feature added in 2.1.26.\n - Thanks to Ralf Hildebrandt the web admin Membership\n Management section now has a feature to sync the list\u0027s\n membership with a list of email addresses as with the\n bin/sync_members command.\n - There is a new drop_cc list attribute set from\n DEFAULT_DROP_CC. This controls the dropping of addresses from\n the Cc: header in delivered messages by the duplicate\n avoidance process. (lp#1845751)\n - There is a new REFUSE_SECOND_PENDING mm_cfg.py setting that\n will cause a second request to subscribe to a list when there\n is already a pending confirmation for that user. This can be\n set to Yes to prevent mailbombing of a third party by\n repeatedly posting the subscribe form. (lp#1859104)\n - Fixed the confirm CGI to catch a rare TypeError on\n simultaneous confirmations of the same token. (lp#1785854)\n - Scrubbed application/octet-stream MIME parts will now be\n given a .bin extension instead of .obj. CVE-2020-12137\n (lp#1886117)\n - Added bounce recognition for a non-compliant opensmtpd DSN\n with Action: error. (lp#1805137)\n - Corrected and augmented some security log messages.\n (lp#1810098)\n - Implemented use of QRUNNER_SLEEP_TIME for bin/qrunner\n --runner=All. (lp#1818205)\n - Leading/trailing spaces in provided email addresses for login\n to private archives and the user options page are now\n ignored. (lp#1818872)\n - Fixed the spelling of the --no-restart option for mailmanctl.\n - Fixed an issue where certain combinations of charset and\n invalid characters in a list\u0027s description could produce\n a List-ID header without angle brackets. (lp#1831321)\n - With the Postfix MTA and virtual domains, mappings for the\n site list -bounces and -request addresses in each virtual\n domain are now added to data/virtual-mailman (-owner was done\n in 2.1.24). (lp#1831777)\n - The paths.py module now extends sys.path with the result of\n site.getsitepackages() if available. (lp#1838866)\n - A bug causing a UnicodeDecodeError in preparing to send the\n confirmation request message to a new subscriber has been\n fixed. (lp#1851442)\n - The SimpleMatch heuristic bounce recognizer has been improved\n to not return most invalid email addresses. (lp#1859011)\n \nThis update was imported from the openSUSE:Leap:15.2:Update update project.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2020-1752",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_1752-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2020:1752-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Z4ZASCRNOELSGFUS6XMOBBM2KR7G3COA/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2020:1752-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Z4ZASCRNOELSGFUS6XMOBBM2KR7G3COA/"
},
{
"category": "self",
"summary": "SUSE Bug 1171363",
"url": "https://bugzilla.suse.com/1171363"
},
{
"category": "self",
"summary": "SUSE Bug 1173369",
"url": "https://bugzilla.suse.com/1173369"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-12108 page",
"url": "https://www.suse.com/security/cve/CVE-2020-12108/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-12137 page",
"url": "https://www.suse.com/security/cve/CVE-2020-12137/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-15011 page",
"url": "https://www.suse.com/security/cve/CVE-2020-15011/"
}
],
"title": "Recommended update for mailman",
"tracking": {
"current_release_date": "2020-10-27T09:21:55Z",
"generator": {
"date": "2020-10-27T09:21:55Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2020:1752-1",
"initial_release_date": "2020-10-27T09:21:55Z",
"revision_history": [
{
"date": "2020-10-27T09:21:55Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.34-bp152.7.3.1.aarch64",
"product": {
"name": "mailman-2.1.34-bp152.7.3.1.aarch64",
"product_id": "mailman-2.1.34-bp152.7.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.34-bp152.7.3.1.ppc64le",
"product": {
"name": "mailman-2.1.34-bp152.7.3.1.ppc64le",
"product_id": "mailman-2.1.34-bp152.7.3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.34-bp152.7.3.1.s390x",
"product": {
"name": "mailman-2.1.34-bp152.7.3.1.s390x",
"product_id": "mailman-2.1.34-bp152.7.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.34-bp152.7.3.1.x86_64",
"product": {
"name": "mailman-2.1.34-bp152.7.3.1.x86_64",
"product_id": "mailman-2.1.34-bp152.7.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP2",
"product": {
"name": "SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.34-bp152.7.3.1.aarch64 as component of SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.aarch64"
},
"product_reference": "mailman-2.1.34-bp152.7.3.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.34-bp152.7.3.1.ppc64le as component of SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.ppc64le"
},
"product_reference": "mailman-2.1.34-bp152.7.3.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.34-bp152.7.3.1.s390x as component of SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.s390x"
},
"product_reference": "mailman-2.1.34-bp152.7.3.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.34-bp152.7.3.1.x86_64 as component of SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.x86_64"
},
"product_reference": "mailman-2.1.34-bp152.7.3.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-12108",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-12108"
}
],
"notes": [
{
"category": "general",
"text": "/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.aarch64",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.ppc64le",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.s390x",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-12108",
"url": "https://www.suse.com/security/cve/CVE-2020-12108"
},
{
"category": "external",
"summary": "SUSE Bug 1171363 for CVE-2020-12108",
"url": "https://bugzilla.suse.com/1171363"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.aarch64",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.ppc64le",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.s390x",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.aarch64",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.ppc64le",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.s390x",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-27T09:21:55Z",
"details": "moderate"
}
],
"title": "CVE-2020-12108"
},
{
"cve": "CVE-2020-12137",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-12137"
}
],
"notes": [
{
"category": "general",
"text": "GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.aarch64",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.ppc64le",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.s390x",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-12137",
"url": "https://www.suse.com/security/cve/CVE-2020-12137"
},
{
"category": "external",
"summary": "SUSE Bug 1170558 for CVE-2020-12137",
"url": "https://bugzilla.suse.com/1170558"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.aarch64",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.ppc64le",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.s390x",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.aarch64",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.ppc64le",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.s390x",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-27T09:21:55Z",
"details": "moderate"
}
],
"title": "CVE-2020-12137"
},
{
"cve": "CVE-2020-15011",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-15011"
}
],
"notes": [
{
"category": "general",
"text": "GNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login page.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.aarch64",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.ppc64le",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.s390x",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-15011",
"url": "https://www.suse.com/security/cve/CVE-2020-15011"
},
{
"category": "external",
"summary": "SUSE Bug 1173369 for CVE-2020-15011",
"url": "https://bugzilla.suse.com/1173369"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.aarch64",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.ppc64le",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.s390x",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.aarch64",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.ppc64le",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.s390x",
"SUSE Package Hub 15 SP2:mailman-2.1.34-bp152.7.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-27T09:21:55Z",
"details": "moderate"
}
],
"title": "CVE-2020-15011"
}
]
}
opensuse-su-2020:1707-1
Vulnerability from csaf_opensuse
Published
2020-10-22 12:27
Modified
2020-10-22 12:27
Summary
Recommended update for mailman
Notes
Title of the patch
Recommended update for mailman
Description of the patch
This update for mailman to version 2.1.34 fixes the following issues:
- The fix for lp#1859104 can result in ValueError being thrown
on attempts to subscribe to a list. This is fixed and
extended to apply REFUSE_SECOND_PENDING to unsubscription as
well. (lp#1878458)
- DMARC mitigation no longer misses if the domain name returned
by DNS contains upper case. (lp#1881035)
- A new WARN_MEMBER_OF_SUBSCRIBE setting can be set to No to
prevent mailbombing of a member of a list with private
rosters by repeated subscribe attempts. (lp#1883017)
- Very long filenames for scrubbed attachments are now
truncated. (lp#1884456)
- A content injection vulnerability via the private login page
has been fixed. CVE-2020-15011 (lp#1877379, bsc#1173369)
- A content injection vulnerability via the options login page
has been discovered and reported by Vishal Singh.
CVE-2020-12108 (lp#1873722, bsc#1171363)
- Bounce recognition for a non-compliant Yahoo format is added.
- Archiving workaround for non-ascii in string.lowercase in
some Python packages is added.
- Thanks to Jim Popovitch, there is now
a dmarc_moderation_addresses list setting that can be used to
apply dmarc_moderation_action to mail From: addresses listed
or matching listed regexps. This can be used to modify mail
to addresses that don't accept external mail From:
themselves.
- There is a new MAX_LISTNAME_LENGTH setting. The fix for
lp#1780874 obtains a list of the names of all the all the
lists in the installation in order to determine the maximum
length of a legitimate list name. It does this on every web
access and on sites with a very large number of lists, this
can have performance implications. See the description in
Defaults.py for more information.
- Thanks to Ralf Jung there is now the ability to add text
based captchas (aka textchas) to the listinfo subscribe form.
See the documentation for the new CAPTCHA setting in
Defaults.py for how to enable this. Also note that if you
have custom listinfo.html templates, you will have to add
a <mm-captcha-ui> tag to those templates to make this work.
This feature can be used in combination with or instead of
the Google reCAPTCHA feature added in 2.1.26.
- Thanks to Ralf Hildebrandt the web admin Membership
Management section now has a feature to sync the list's
membership with a list of email addresses as with the
bin/sync_members command.
- There is a new drop_cc list attribute set from
DEFAULT_DROP_CC. This controls the dropping of addresses from
the Cc: header in delivered messages by the duplicate
avoidance process. (lp#1845751)
- There is a new REFUSE_SECOND_PENDING mm_cfg.py setting that
will cause a second request to subscribe to a list when there
is already a pending confirmation for that user. This can be
set to Yes to prevent mailbombing of a third party by
repeatedly posting the subscribe form. (lp#1859104)
- Fixed the confirm CGI to catch a rare TypeError on
simultaneous confirmations of the same token. (lp#1785854)
- Scrubbed application/octet-stream MIME parts will now be
given a .bin extension instead of .obj. CVE-2020-12137
(lp#1886117)
- Added bounce recognition for a non-compliant opensmtpd DSN
with Action: error. (lp#1805137)
- Corrected and augmented some security log messages.
(lp#1810098)
- Implemented use of QRUNNER_SLEEP_TIME for bin/qrunner
--runner=All. (lp#1818205)
- Leading/trailing spaces in provided email addresses for login
to private archives and the user options page are now
ignored. (lp#1818872)
- Fixed the spelling of the --no-restart option for mailmanctl.
- Fixed an issue where certain combinations of charset and
invalid characters in a list's description could produce
a List-ID header without angle brackets. (lp#1831321)
- With the Postfix MTA and virtual domains, mappings for the
site list -bounces and -request addresses in each virtual
domain are now added to data/virtual-mailman (-owner was done
in 2.1.24). (lp#1831777)
- The paths.py module now extends sys.path with the result of
site.getsitepackages() if available. (lp#1838866)
- A bug causing a UnicodeDecodeError in preparing to send the
confirmation request message to a new subscriber has been
fixed. (lp#1851442)
- The SimpleMatch heuristic bounce recognizer has been improved
to not return most invalid email addresses. (lp#1859011)
Patchnames
openSUSE-2020-1707
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Recommended update for mailman",
"title": "Title of the patch"
},
{
"category": "description",
"text": "\nThis update for mailman to version 2.1.34 fixes the following issues:\n\n - The fix for lp#1859104 can result in ValueError being thrown\n on attempts to subscribe to a list. This is fixed and\n extended to apply REFUSE_SECOND_PENDING to unsubscription as\n well. (lp#1878458)\n - DMARC mitigation no longer misses if the domain name returned\n by DNS contains upper case. (lp#1881035)\n - A new WARN_MEMBER_OF_SUBSCRIBE setting can be set to No to\n prevent mailbombing of a member of a list with private\n rosters by repeated subscribe attempts. (lp#1883017)\n - Very long filenames for scrubbed attachments are now\n truncated. (lp#1884456)\n - A content injection vulnerability via the private login page\n has been fixed. CVE-2020-15011 (lp#1877379, bsc#1173369)\n - A content injection vulnerability via the options login page\n has been discovered and reported by Vishal Singh.\n CVE-2020-12108 (lp#1873722, bsc#1171363)\n - Bounce recognition for a non-compliant Yahoo format is added.\n - Archiving workaround for non-ascii in string.lowercase in\n some Python packages is added.\n - Thanks to Jim Popovitch, there is now\n a dmarc_moderation_addresses list setting that can be used to\n apply dmarc_moderation_action to mail From: addresses listed\n or matching listed regexps. This can be used to modify mail\n to addresses that don\u0027t accept external mail From:\n themselves.\n - There is a new MAX_LISTNAME_LENGTH setting. The fix for\n lp#1780874 obtains a list of the names of all the all the\n lists in the installation in order to determine the maximum\n length of a legitimate list name. It does this on every web\n access and on sites with a very large number of lists, this\n can have performance implications. See the description in\n Defaults.py for more information.\n - Thanks to Ralf Jung there is now the ability to add text\n based captchas (aka textchas) to the listinfo subscribe form.\n See the documentation for the new CAPTCHA setting in\n Defaults.py for how to enable this. Also note that if you\n have custom listinfo.html templates, you will have to add\n a \u003cmm-captcha-ui\u003e tag to those templates to make this work.\n This feature can be used in combination with or instead of\n the Google reCAPTCHA feature added in 2.1.26.\n - Thanks to Ralf Hildebrandt the web admin Membership\n Management section now has a feature to sync the list\u0027s\n membership with a list of email addresses as with the\n bin/sync_members command.\n - There is a new drop_cc list attribute set from\n DEFAULT_DROP_CC. This controls the dropping of addresses from\n the Cc: header in delivered messages by the duplicate\n avoidance process. (lp#1845751)\n - There is a new REFUSE_SECOND_PENDING mm_cfg.py setting that\n will cause a second request to subscribe to a list when there\n is already a pending confirmation for that user. This can be\n set to Yes to prevent mailbombing of a third party by\n repeatedly posting the subscribe form. (lp#1859104)\n - Fixed the confirm CGI to catch a rare TypeError on\n simultaneous confirmations of the same token. (lp#1785854)\n - Scrubbed application/octet-stream MIME parts will now be\n given a .bin extension instead of .obj. CVE-2020-12137\n (lp#1886117)\n - Added bounce recognition for a non-compliant opensmtpd DSN\n with Action: error. (lp#1805137)\n - Corrected and augmented some security log messages.\n (lp#1810098)\n - Implemented use of QRUNNER_SLEEP_TIME for bin/qrunner\n --runner=All. (lp#1818205)\n - Leading/trailing spaces in provided email addresses for login\n to private archives and the user options page are now\n ignored. (lp#1818872)\n - Fixed the spelling of the --no-restart option for mailmanctl.\n - Fixed an issue where certain combinations of charset and\n invalid characters in a list\u0027s description could produce\n a List-ID header without angle brackets. (lp#1831321)\n - With the Postfix MTA and virtual domains, mappings for the\n site list -bounces and -request addresses in each virtual\n domain are now added to data/virtual-mailman (-owner was done\n in 2.1.24). (lp#1831777)\n - The paths.py module now extends sys.path with the result of\n site.getsitepackages() if available. (lp#1838866)\n - A bug causing a UnicodeDecodeError in preparing to send the\n confirmation request message to a new subscriber has been\n fixed. (lp#1851442)\n - The SimpleMatch heuristic bounce recognizer has been improved\n to not return most invalid email addresses. (lp#1859011)\n ",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2020-1707",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_1707-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2020:1707-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6LXSIVYX5GOPLZQNIV3JT72GQ7L536DK/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2020:1707-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6LXSIVYX5GOPLZQNIV3JT72GQ7L536DK/"
},
{
"category": "self",
"summary": "SUSE Bug 1171363",
"url": "https://bugzilla.suse.com/1171363"
},
{
"category": "self",
"summary": "SUSE Bug 1173369",
"url": "https://bugzilla.suse.com/1173369"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-12108 page",
"url": "https://www.suse.com/security/cve/CVE-2020-12108/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-12137 page",
"url": "https://www.suse.com/security/cve/CVE-2020-12137/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-15011 page",
"url": "https://www.suse.com/security/cve/CVE-2020-15011/"
}
],
"title": "Recommended update for mailman",
"tracking": {
"current_release_date": "2020-10-22T12:27:35Z",
"generator": {
"date": "2020-10-22T12:27:35Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2020:1707-1",
"initial_release_date": "2020-10-22T12:27:35Z",
"revision_history": [
{
"date": "2020-10-22T12:27:35Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "mailman-2.1.34-lp152.7.3.1.x86_64",
"product": {
"name": "mailman-2.1.34-lp152.7.3.1.x86_64",
"product_id": "mailman-2.1.34-lp152.7.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.2",
"product": {
"name": "openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "mailman-2.1.34-lp152.7.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:mailman-2.1.34-lp152.7.3.1.x86_64"
},
"product_reference": "mailman-2.1.34-lp152.7.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-12108",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-12108"
}
],
"notes": [
{
"category": "general",
"text": "/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:mailman-2.1.34-lp152.7.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-12108",
"url": "https://www.suse.com/security/cve/CVE-2020-12108"
},
{
"category": "external",
"summary": "SUSE Bug 1171363 for CVE-2020-12108",
"url": "https://bugzilla.suse.com/1171363"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:mailman-2.1.34-lp152.7.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:mailman-2.1.34-lp152.7.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-22T12:27:35Z",
"details": "moderate"
}
],
"title": "CVE-2020-12108"
},
{
"cve": "CVE-2020-12137",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-12137"
}
],
"notes": [
{
"category": "general",
"text": "GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:mailman-2.1.34-lp152.7.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-12137",
"url": "https://www.suse.com/security/cve/CVE-2020-12137"
},
{
"category": "external",
"summary": "SUSE Bug 1170558 for CVE-2020-12137",
"url": "https://bugzilla.suse.com/1170558"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:mailman-2.1.34-lp152.7.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:mailman-2.1.34-lp152.7.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-22T12:27:35Z",
"details": "moderate"
}
],
"title": "CVE-2020-12137"
},
{
"cve": "CVE-2020-15011",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-15011"
}
],
"notes": [
{
"category": "general",
"text": "GNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login page.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:mailman-2.1.34-lp152.7.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-15011",
"url": "https://www.suse.com/security/cve/CVE-2020-15011"
},
{
"category": "external",
"summary": "SUSE Bug 1173369 for CVE-2020-15011",
"url": "https://bugzilla.suse.com/1173369"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:mailman-2.1.34-lp152.7.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:mailman-2.1.34-lp152.7.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-22T12:27:35Z",
"details": "moderate"
}
],
"title": "CVE-2020-15011"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…