(RHSA-2015:1153) Moderate: mailman security and bug fix update

2015-06-2300:00:00

access.redhat.com

7.6 High

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:H/Au:N/C:C/I:C/A:C

0.031 Low

EPSS

Percentile

89.5%

JSON

Mailman is a program used to help manage email discussion lists.

It was found that mailman did not sanitize the list name before passing it
to certain MTAs. A local attacker could use this flaw to execute arbitrary
code as the user running mailman. (CVE-2015-2775)

This update also fixes the following bugs:

Previously, it was impossible to configure Mailman in a way that
Domain-based Message Authentication, Reporting & Conformance (DMARC) would
recognize Sender alignment for Domain Key Identified Mail (DKIM)
signatures. Consequently, Mailman list subscribers that belonged to a mail
server with a “reject” policy for DMARC, such as yahoo.com or AOL.com, were
unable to receive Mailman forwarded messages from senders residing in any
domain that provided DKIM signatures. With this update, domains with a
“reject” DMARC policy are recognized correctly, and Mailman list
administrators are able to configure the way these messages are handled. As
a result, after a proper configuration, subscribers now correctly receive
Mailman forwarded messages in this scenario. (BZ#1229288)
Previously, the /etc/mailman file had incorrectly set permissions, which
in some cases caused removing Mailman lists to fail with a “‘NoneType’
object has no attribute ‘close’” message. With this update, the permissions
value for /etc/mailman is correctly set to 2775 instead of 0755, and
removing Mailman lists now works as expected. (BZ#1229307)
Prior to this update, the mailman utility incorrectly installed the
tmpfiles configuration in the /etc/tmpfiles.d/ directory. As a consequence,
changes made to mailman tmpfiles configuration were overwritten if the
mailman packages were reinstalled or updated. The mailman utility now
installs the tmpfiles configuration in the /usr/lib/tmpfiles.d/ directory,
and changes made to them by the user are preserved on reinstall or update.
(BZ#1229306)

All mailman users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.

OSVersionArchitecturePackageVersionFilename
RedHat7s390xmailman-debuginfo< 2.1.15-21.el7_1mailman-debuginfo-2.1.15-21.el7_1.s390x.rpm
RedHat7x86_64mailman< 2.1.15-21.el7_1mailman-2.1.15-21.el7_1.x86_64.rpm
RedHat7srcmailman< 2.1.15-21.el7_1mailman-2.1.15-21.el7_1.src.rpm
RedHat7x86_64mailman-debuginfo< 2.1.15-21.el7_1mailman-debuginfo-2.1.15-21.el7_1.x86_64.rpm
RedHat7ppc64mailman< 2.1.15-21.el7_1mailman-2.1.15-21.el7_1.ppc64.rpm
RedHat7s390xmailman< 2.1.15-21.el7_1mailman-2.1.15-21.el7_1.s390x.rpm
RedHat7ppc64mailman-debuginfo< 2.1.15-21.el7_1mailman-debuginfo-2.1.15-21.el7_1.ppc64.rpm

OS	Version	Architecture	Package	Version	Filename
RedHat	7	s390x	mailman-debuginfo	< 2.1.15-21.el7_1	mailman-debuginfo-2.1.15-21.el7_1.s390x.rpm
RedHat	7	x86_64	mailman	< 2.1.15-21.el7_1	mailman-2.1.15-21.el7_1.x86_64.rpm
RedHat	7	src	mailman	< 2.1.15-21.el7_1	mailman-2.1.15-21.el7_1.src.rpm
RedHat	7	x86_64	mailman-debuginfo	< 2.1.15-21.el7_1	mailman-debuginfo-2.1.15-21.el7_1.x86_64.rpm
RedHat	7	ppc64	mailman	< 2.1.15-21.el7_1	mailman-2.1.15-21.el7_1.ppc64.rpm
RedHat	7	s390x	mailman	< 2.1.15-21.el7_1	mailman-2.1.15-21.el7_1.s390x.rpm
RedHat	7	ppc64	mailman-debuginfo	< 2.1.15-21.el7_1	mailman-debuginfo-2.1.15-21.el7_1.ppc64.rpm