mailman security update

CentOS Errata and Security Advisory CESA-2015:1153

Mailman is a program used to help manage email discussion lists.

It was found that mailman did not sanitize the list name before passing it
to certain MTAs. A local attacker could use this flaw to execute arbitrary
code as the user running mailman. (CVE-2015-2775)

This update also fixes the following bugs:

• Previously, it was impossible to configure Mailman in a way that
  Domain-based Message Authentication, Reporting & Conformance (DMARC) would
  recognize Sender alignment for Domain Key Identified Mail (DKIM)
  signatures. Consequently, Mailman list subscribers that belonged to a mail
  server with a “reject” policy for DMARC, such as yahoo.com or AOL.com, were
  unable to receive Mailman forwarded messages from senders residing in any
  domain that provided DKIM signatures. With this update, domains with a
  “reject” DMARC policy are recognized correctly, and Mailman list
  administrators are able to configure the way these messages are handled. As
  a result, after a proper configuration, subscribers now correctly receive
  Mailman forwarded messages in this scenario. (BZ#1229288)

• Previously, the /etc/mailman file had incorrectly set permissions, which
  in some cases caused removing Mailman lists to fail with a “‘NoneType’
  object has no attribute ‘close’” message. With this update, the permissions
  value for /etc/mailman is correctly set to 2775 instead of 0755, and
  removing Mailman lists now works as expected. (BZ#1229307)

• Prior to this update, the mailman utility incorrectly installed the
  tmpfiles configuration in the /etc/tmpfiles.d/ directory. As a consequence,
  changes made to mailman tmpfiles configuration were overwritten if the
  mailman packages were reinstalled or updated. The mailman utility now
  installs the tmpfiles configuration in the /usr/lib/tmpfiles.d/ directory,
  and changes made to them by the user are preserved on reinstall or update.
  (BZ#1229306)

All mailman users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2015-June/083366.html

Affected packages:
mailman

Upstream details at:
https://access.redhat.com/errata/RHSA-2015:1153