Vulnerabilities > CVE-2015-2775 - Path Traversal vulnerability in multiple products
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Directory traversal vulnerability in GNU Mailman before 2.1.20, when not using a static alias, allows remote attackers to execute arbitrary files via a .. (dot dot) in a list name.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Relative Path Traversal An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
- Directory Traversal An attacker with access to file system resources, either directly or via application logic, will use various file path specification or navigation mechanisms such as ".." in path strings and absolute paths to extend their range of access to inappropriate areas of the file system. The attacker attempts to either explore the file system for recon purposes or access directories and files that are intended to be restricted from their access. Exploring the file system can be achieved through constructing paths presented to directory listing programs, such as "ls" and 'dir', or through specially crafted programs that attempt to explore the file system. The attacker engaging in this type of activity is searching for information that can be used later in a more exploitive attack. Access to restricted directories or files can be achieved through modification of path references utilized by system applications.
- File System Function Injection, Content Based An attack of this type exploits the host's trust in executing remote content including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the attacker and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The attacker exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the attacker knows the standard handling routines and can identify vulnerabilities and entry points they can be exploited by otherwise seemingly normal content. Once the attack is executed, the attackers' program can access relative directories such as C:\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus.
- Using Slashes and URL Encoding Combined to Bypass Validation Logic This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
- Manipulating Input to File System Calls An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-4296-1.NASL description This update for mailman fixes the following security vulnerabilities : Fixed a XSS vulnerability and information leak in user options CGI, which could be used to execute arbitrary scripts in the user last seen 2020-03-24 modified 2018-12-31 plugin id 119955 published 2018-12-31 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119955 title SUSE SLES12 Security Update : mailman (SUSE-SU-2018:4296-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2018:4296-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(119955); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/23"); script_cve_id("CVE-2015-2775", "CVE-2016-6893", "CVE-2018-0618", "CVE-2018-13796", "CVE-2018-5950"); script_bugtraq_id(73922); script_name(english:"SUSE SLES12 Security Update : mailman (SUSE-SU-2018:4296-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for mailman fixes the following security vulnerabilities : Fixed a XSS vulnerability and information leak in user options CGI, which could be used to execute arbitrary scripts in the user's browser via specially encoded URLs (bsc#1077358 CVE-2018-5950) Fixed a directory traversal vulnerability in MTA transports when using the recommended Mailman Transport for Exim (bsc#925502 CVE-2015-2775) Fixed a XSS vulnerability, which allowed malicious listowners to inject scripts into the listinfo pages (bsc#1099510 CVE-2018-0618) Fixed arbitrary text injection vulnerability in several mailman CGIs (CVE-2018-13796 bsc#1101288) Fixed a CSRF vulnerability on the user options page (CVE-2016-6893 bsc#995352) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1077358" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1099510" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1101288" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=925502" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=995352" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-2775/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-6893/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-0618/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-13796/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-5950/" ); # https://www.suse.com/support/update/announcement/2018/suse-su-20184296-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?8457595a" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE OpenStack Cloud 7:zypper in -t patch SUSE-OpenStack-Cloud-7-2018-3062=1 SUSE Linux Enterprise Server for SAP 12-SP2:zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-3062=1 SUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-3062=1 SUSE Linux Enterprise Server 12-SP4:zypper in -t patch SUSE-SLE-SERVER-12-SP4-2018-3062=1 SUSE Linux Enterprise Server 12-SP3:zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-3062=1 SUSE Linux Enterprise Server 12-SP2-LTSS:zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-3062=1 SUSE Linux Enterprise Server 12-SP2-BCL:zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2018-3062=1 SUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-3062=1 SUSE Linux Enterprise Server 12-LTSS:zypper in -t patch SUSE-SLE-SERVER-12-2018-3062=1 SUSE Enterprise Storage 4:zypper in -t patch SUSE-Storage-4-2018-3062=1" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mailman"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mailman-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mailman-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/13"); script_set_attribute(attribute:"patch_publication_date", value:"2018/12/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/31"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(0|1|2|3|4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0/1/2/3/4", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"1", reference:"mailman-2.1.17-3.3.3")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"mailman-debuginfo-2.1.17-3.3.3")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"mailman-debugsource-2.1.17-3.3.3")) flag++; if (rpm_check(release:"SLES12", sp:"4", reference:"mailman-2.1.17-3.3.3")) flag++; if (rpm_check(release:"SLES12", sp:"4", reference:"mailman-debuginfo-2.1.17-3.3.3")) flag++; if (rpm_check(release:"SLES12", sp:"4", reference:"mailman-debugsource-2.1.17-3.3.3")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"mailman-2.1.17-3.3.3")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"mailman-debuginfo-2.1.17-3.3.3")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"mailman-debugsource-2.1.17-3.3.3")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"mailman-2.1.17-3.3.3")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"mailman-debuginfo-2.1.17-3.3.3")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"mailman-debugsource-2.1.17-3.3.3")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"mailman-2.1.17-3.3.3")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"mailman-debuginfo-2.1.17-3.3.3")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"mailman-debugsource-2.1.17-3.3.3")) flag++; if (rpm_check(release:"SLES12", sp:"2", reference:"mailman-2.1.17-3.3.3")) flag++; if (rpm_check(release:"SLES12", sp:"2", reference:"mailman-debuginfo-2.1.17-3.3.3")) flag++; if (rpm_check(release:"SLES12", sp:"2", reference:"mailman-debugsource-2.1.17-3.3.3")) flag++; if (flag) { set_kb_item(name:'www/0/XSS', value:TRUE); set_kb_item(name:'www/0/XSRF', value:TRUE); if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mailman"); }
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-186.NASL description A path traversal vulnerability was discovered in Mailman, the mailing list manager. Installations using a transport script (such as postfix-to-mailman.py) to interface with their MTA instead of static aliases were vulnerable to a path traversal attack. To successfully exploit this, an attacker needs write access on the local file system. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2015-04-07 plugin id 82593 published 2015-04-07 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82593 title Debian DLA-186-1 : mailman security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-186-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(82593); script_version("1.7"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2015-2775"); script_bugtraq_id(73922); script_name(english:"Debian DLA-186-1 : mailman security update"); script_summary(english:"Checks dpkg output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "A path traversal vulnerability was discovered in Mailman, the mailing list manager. Installations using a transport script (such as postfix-to-mailman.py) to interface with their MTA instead of static aliases were vulnerable to a path traversal attack. To successfully exploit this, an attacker needs write access on the local file system. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2015/04/msg00000.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/squeeze-lts/mailman" ); script_set_attribute( attribute:"solution", value:"Upgrade the affected mailman package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:mailman"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0"); script_set_attribute(attribute:"patch_publication_date", value:"2015/04/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/07"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"6.0", prefix:"mailman", reference:"1:2.1.13-6")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2015-1417.NASL description From Red Hat Security Advisory 2015:1417 : Updated mailman packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Mailman is a program used to help manage e-mail discussion lists. It was found that mailman did not sanitize the list name before passing it to certain MTAs. A local attacker could use this flaw to execute arbitrary code as the user running mailman. (CVE-2015-2775) It was found that mailman stored private email messages in a world-readable directory. A local user could use this flaw to read private mailing list archives. (CVE-2002-0389) This update also fixes the following bugs : * Previously, it was impossible to configure Mailman in a way that Domain-based Message Authentication, Reporting & Conformance (DMARC) would recognize Sender alignment for Domain Key Identified Mail (DKIM) signatures. Consequently, Mailman list subscribers that belonged to a mail server with a last seen 2020-06-01 modified 2020-06-02 plugin id 85105 published 2015-07-30 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85105 title Oracle Linux 6 : mailman (ELSA-2015-1417) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-13924-1.NASL description This update for mailman fixes the following issues : Fixed a XSS vulnerability and information leak in user options CGI, which could be used to execute arbitrary scripts in the user last seen 2020-03-18 modified 2019-01-08 plugin id 121005 published 2019-01-08 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121005 title SUSE SLES11 Security Update : mailman (SUSE-SU-2019:13924-1) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2015-1153.NASL description From Red Hat Security Advisory 2015:1153 : Updated mailman packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Mailman is a program used to help manage email discussion lists. It was found that mailman did not sanitize the list name before passing it to certain MTAs. A local attacker could use this flaw to execute arbitrary code as the user running mailman. (CVE-2015-2775) This update also fixes the following bugs : * Previously, it was impossible to configure Mailman in a way that Domain-based Message Authentication, Reporting & Conformance (DMARC) would recognize Sender alignment for Domain Key Identified Mail (DKIM) signatures. Consequently, Mailman list subscribers that belonged to a mail server with a last seen 2020-06-01 modified 2020-06-02 plugin id 84353 published 2015-06-24 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84353 title Oracle Linux 7 : mailman (ELSA-2015-1153) NASL family Scientific Linux Local Security Checks NASL id SL_20150623_MAILMAN_ON_SL7_X.NASL description -- * It was found that mailman did not sanitize the list name before passing it to certain MTAs. A local attacker could use this flaw to execute arbitrary code as the user running mailman. (CVE-2015-2775) * Previously, it was impossible to configure Mailman in a way that Domain-based Message Authentication, Reporting & Conformance (DMARC) would recognize Sender alignment for Domain Key Identified Mail (DKIM) signatures. Consequently, Mailman list subscribers that belonged to a mail server with a last seen 2020-03-18 modified 2015-07-06 plugin id 84537 published 2015-07-06 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84537 title Scientific Linux Security Update : mailman on SL7.x x86_64 (20150623) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2015-1153.NASL description Updated mailman packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Mailman is a program used to help manage email discussion lists. It was found that mailman did not sanitize the list name before passing it to certain MTAs. A local attacker could use this flaw to execute arbitrary code as the user running mailman. (CVE-2015-2775) This update also fixes the following bugs : * Previously, it was impossible to configure Mailman in a way that Domain-based Message Authentication, Reporting & Conformance (DMARC) would recognize Sender alignment for Domain Key Identified Mail (DKIM) signatures. Consequently, Mailman list subscribers that belonged to a mail server with a last seen 2020-06-01 modified 2020-06-02 plugin id 84347 published 2015-06-24 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84347 title CentOS 7 : mailman (CESA-2015:1153) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-1153.NASL description Updated mailman packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Mailman is a program used to help manage email discussion lists. It was found that mailman did not sanitize the list name before passing it to certain MTAs. A local attacker could use this flaw to execute arbitrary code as the user running mailman. (CVE-2015-2775) This update also fixes the following bugs : * Previously, it was impossible to configure Mailman in a way that Domain-based Message Authentication, Reporting & Conformance (DMARC) would recognize Sender alignment for Domain Key Identified Mail (DKIM) signatures. Consequently, Mailman list subscribers that belonged to a mail server with a last seen 2020-06-01 modified 2020-06-02 plugin id 84359 published 2015-06-24 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84359 title RHEL 7 : mailman (RHSA-2015:1153) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-1417.NASL description Updated mailman packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Mailman is a program used to help manage e-mail discussion lists. It was found that mailman did not sanitize the list name before passing it to certain MTAs. A local attacker could use this flaw to execute arbitrary code as the user running mailman. (CVE-2015-2775) It was found that mailman stored private email messages in a world-readable directory. A local user could use this flaw to read private mailing list archives. (CVE-2002-0389) This update also fixes the following bugs : * Previously, it was impossible to configure Mailman in a way that Domain-based Message Authentication, Reporting & Conformance (DMARC) would recognize Sender alignment for Domain Key Identified Mail (DKIM) signatures. Consequently, Mailman list subscribers that belonged to a mail server with a last seen 2020-06-01 modified 2020-06-02 plugin id 84944 published 2015-07-23 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84944 title RHEL 6 : mailman (RHSA-2015:1417) NASL family Fedora Local Security Checks NASL id FEDORA_2015-5333.NASL description Update to version 2.1.20. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-04-22 plugin id 82954 published 2015-04-22 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82954 title Fedora 22 : mailman-2.1.20-1.fc22 (2015-5333) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2015-582.NASL description It was found that mailman did not sanitize the list name before passing it to certain MTAs. A local attacker could use this flaw to execute arbitrary code as the user running mailman. (CVE-2015-2775) It was found that mailman stored private email messages in a world-readable directory. A local user could use this flaw to read private mailing list archives. (CVE-2002-0389) last seen 2020-06-01 modified 2020-06-02 plugin id 85455 published 2015-08-18 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/85455 title Amazon Linux AMI : mailman (ALAS-2015-582) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3214.NASL description A path traversal vulnerability was discovered in Mailman, the mailing list manager. Installations using a transport script (such as postfix-to-mailman.py) to interface with their MTA instead of static aliases were vulnerable to a path traversal attack. To successfully exploit this, an attacker needs write access on the local file system. last seen 2020-03-17 modified 2015-04-08 plugin id 82622 published 2015-04-08 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82622 title Debian DSA-3214-1 : mailman - security update NASL family Scientific Linux Local Security Checks NASL id SL_20150722_MAILMAN_ON_SL6_X.NASL description It was found that mailman did not sanitize the list name before passing it to certain MTAs. A local attacker could use this flaw to execute arbitrary code as the user running mailman. (CVE-2015-2775) It was found that mailman stored private email messages in a world- readable directory. A local user could use this flaw to read private mailing list archives. (CVE-2002-0389) This update also fixes the following bugs : - Previously, it was impossible to configure Mailman in a way that Domain- based Message Authentication, Reporting & Conformance (DMARC) would recognize Sender alignment for Domain Key Identified Mail (DKIM) signatures. Consequently, Mailman list subscribers that belonged to a mail server with a last seen 2020-03-18 modified 2015-08-04 plugin id 85201 published 2015-08-04 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85201 title Scientific Linux Security Update : mailman on SL6.x i386/x86_64 (20150722) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2015-1417.NASL description Updated mailman packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Mailman is a program used to help manage e-mail discussion lists. It was found that mailman did not sanitize the list name before passing it to certain MTAs. A local attacker could use this flaw to execute arbitrary code as the user running mailman. (CVE-2015-2775) It was found that mailman stored private email messages in a world-readable directory. A local user could use this flaw to read private mailing list archives. (CVE-2002-0389) This update also fixes the following bugs : * Previously, it was impossible to configure Mailman in a way that Domain-based Message Authentication, Reporting & Conformance (DMARC) would recognize Sender alignment for Domain Key Identified Mail (DKIM) signatures. Consequently, Mailman list subscribers that belonged to a mail server with a last seen 2020-06-01 modified 2020-06-02 plugin id 85018 published 2015-07-28 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85018 title CentOS 6 : mailman (CESA-2015:1417) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2558-1.NASL description It was discovered that Mailman incorrectly handled special characters in list names. A local attacker could use this issue to perform a path traversal attack and execute arbitrary code as the Mailman user. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 82644 published 2015-04-08 reporter Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82644 title Ubuntu 12.04 LTS / 14.04 LTS / 14.10 : mailman vulnerability (USN-2558-1) NASL family Fedora Local Security Checks NASL id FEDORA_2015-5216.NASL description Update to new version 2.1.20. Fix dependency on python-dns. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-05-04 plugin id 83196 published 2015-05-04 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83196 title Fedora 21 : mailman-2.1.20-1.fc21 (2015-5216) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_A5F160FADEEE11E499F8080027EF73EC.NASL description Mark Sapiro reports : A path traversal vulnerability has been discovered and fixed. This vulnerability is only exploitable by a local user on a Mailman server where the suggested Exim transport, the Postfix postfix_to_mailman.py transport or some other programmatic MTA delivery not using aliases is employed. last seen 2020-06-01 modified 2020-06-02 plugin id 82681 published 2015-04-10 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82681 title FreeBSD : mailman -- path traversal vulnerability (a5f160fa-deee-11e4-99f8-080027ef73ec)
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
References
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154911.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/156742.html
- http://rhn.redhat.com/errata/RHSA-2015-1153.html
- http://rhn.redhat.com/errata/RHSA-2015-1417.html
- http://www.debian.org/security/2015/dsa-3214
- http://www.securityfocus.com/bid/73922
- http://www.securitytracker.com/id/1032033
- http://www.ubuntu.com/usn/USN-2558-1
- https://bugs.launchpad.net/mailman/+bug/1437145
- https://mail.python.org/pipermail/mailman-announce/2015-March/000209.html
- https://mail.python.org/pipermail/mailman-developers/2015-March/024871.html
- https://mail.python.org/pipermail/mailman-developers/2015-March/024875.html