Vulnerabilities > CVE-2015-2775 - Path Traversal vulnerability in multiple products

047910
CVSS 7.6 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
high complexity
canonical
debian
redhat
gnu
CWE-22
nessus

Summary

Directory traversal vulnerability in GNU Mailman before 2.1.20, when not using a static alias, allows remote attackers to execute arbitrary files via a .. (dot dot) in a list name.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Relative Path Traversal
    An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
  • Directory Traversal
    An attacker with access to file system resources, either directly or via application logic, will use various file path specification or navigation mechanisms such as ".." in path strings and absolute paths to extend their range of access to inappropriate areas of the file system. The attacker attempts to either explore the file system for recon purposes or access directories and files that are intended to be restricted from their access. Exploring the file system can be achieved through constructing paths presented to directory listing programs, such as "ls" and 'dir', or through specially crafted programs that attempt to explore the file system. The attacker engaging in this type of activity is searching for information that can be used later in a more exploitive attack. Access to restricted directories or files can be achieved through modification of path references utilized by system applications.
  • File System Function Injection, Content Based
    An attack of this type exploits the host's trust in executing remote content including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the attacker and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The attacker exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the attacker knows the standard handling routines and can identify vulnerabilities and entry points they can be exploited by otherwise seemingly normal content. Once the attack is executed, the attackers' program can access relative directories such as C:\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus.
  • Using Slashes and URL Encoding Combined to Bypass Validation Logic
    This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-4296-1.NASL
    descriptionThis update for mailman fixes the following security vulnerabilities : Fixed a XSS vulnerability and information leak in user options CGI, which could be used to execute arbitrary scripts in the user
    last seen2020-03-24
    modified2018-12-31
    plugin id119955
    published2018-12-31
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119955
    titleSUSE SLES12 Security Update : mailman (SUSE-SU-2018:4296-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2018:4296-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(119955);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/23");
    
      script_cve_id("CVE-2015-2775", "CVE-2016-6893", "CVE-2018-0618", "CVE-2018-13796", "CVE-2018-5950");
      script_bugtraq_id(73922);
    
      script_name(english:"SUSE SLES12 Security Update : mailman (SUSE-SU-2018:4296-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for mailman fixes the following security vulnerabilities :
    
    Fixed a XSS vulnerability and information leak in user options CGI,
    which could be used to execute arbitrary scripts in the user's browser
    via specially encoded URLs (bsc#1077358 CVE-2018-5950)
    
    Fixed a directory traversal vulnerability in MTA transports when using
    the recommended Mailman Transport for Exim (bsc#925502 CVE-2015-2775)
    
    Fixed a XSS vulnerability, which allowed malicious listowners to
    inject scripts into the listinfo pages (bsc#1099510 CVE-2018-0618)
    
    Fixed arbitrary text injection vulnerability in several mailman CGIs
    (CVE-2018-13796 bsc#1101288)
    
    Fixed a CSRF vulnerability on the user options page (CVE-2016-6893
    bsc#995352)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1077358"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1099510"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1101288"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=925502"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=995352"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2015-2775/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-6893/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-0618/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-13796/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-5950/"
      );
      # https://www.suse.com/support/update/announcement/2018/suse-su-20184296-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?8457595a"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE OpenStack Cloud 7:zypper in -t patch
    SUSE-OpenStack-Cloud-7-2018-3062=1
    
    SUSE Linux Enterprise Server for SAP 12-SP2:zypper in -t patch
    SUSE-SLE-SAP-12-SP2-2018-3062=1
    
    SUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch
    SUSE-SLE-SAP-12-SP1-2018-3062=1
    
    SUSE Linux Enterprise Server 12-SP4:zypper in -t patch
    SUSE-SLE-SERVER-12-SP4-2018-3062=1
    
    SUSE Linux Enterprise Server 12-SP3:zypper in -t patch
    SUSE-SLE-SERVER-12-SP3-2018-3062=1
    
    SUSE Linux Enterprise Server 12-SP2-LTSS:zypper in -t patch
    SUSE-SLE-SERVER-12-SP2-2018-3062=1
    
    SUSE Linux Enterprise Server 12-SP2-BCL:zypper in -t patch
    SUSE-SLE-SERVER-12-SP2-BCL-2018-3062=1
    
    SUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch
    SUSE-SLE-SERVER-12-SP1-2018-3062=1
    
    SUSE Linux Enterprise Server 12-LTSS:zypper in -t patch
    SUSE-SLE-SERVER-12-2018-3062=1
    
    SUSE Enterprise Storage 4:zypper in -t patch
    SUSE-Storage-4-2018-3062=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mailman");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mailman-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mailman-debugsource");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/12/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/31");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(0|1|2|3|4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0/1/2/3/4", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"1", reference:"mailman-2.1.17-3.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"mailman-debuginfo-2.1.17-3.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"mailman-debugsource-2.1.17-3.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"4", reference:"mailman-2.1.17-3.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"4", reference:"mailman-debuginfo-2.1.17-3.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"4", reference:"mailman-debugsource-2.1.17-3.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"mailman-2.1.17-3.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"mailman-debuginfo-2.1.17-3.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"mailman-debugsource-2.1.17-3.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"mailman-2.1.17-3.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"mailman-debuginfo-2.1.17-3.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"mailman-debugsource-2.1.17-3.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"mailman-2.1.17-3.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"mailman-debuginfo-2.1.17-3.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"mailman-debugsource-2.1.17-3.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"mailman-2.1.17-3.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"mailman-debuginfo-2.1.17-3.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"mailman-debugsource-2.1.17-3.3.3")) flag++;
    
    
    if (flag)
    {
      set_kb_item(name:'www/0/XSS', value:TRUE);
      set_kb_item(name:'www/0/XSRF', value:TRUE);
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mailman");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-186.NASL
    descriptionA path traversal vulnerability was discovered in Mailman, the mailing list manager. Installations using a transport script (such as postfix-to-mailman.py) to interface with their MTA instead of static aliases were vulnerable to a path traversal attack. To successfully exploit this, an attacker needs write access on the local file system. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2015-04-07
    plugin id82593
    published2015-04-07
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82593
    titleDebian DLA-186-1 : mailman security update
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-186-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(82593);
      script_version("1.7");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2015-2775");
      script_bugtraq_id(73922);
    
      script_name(english:"Debian DLA-186-1 : mailman security update");
      script_summary(english:"Checks dpkg output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A path traversal vulnerability was discovered in Mailman, the mailing
    list manager. Installations using a transport script (such as
    postfix-to-mailman.py) to interface with their MTA instead of static
    aliases were vulnerable to a path traversal attack. To successfully
    exploit this, an attacker needs write access on the local file system.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2015/04/msg00000.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/squeeze-lts/mailman"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Upgrade the affected mailman package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:mailman");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/04/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/07");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"6.0", prefix:"mailman", reference:"1:2.1.13-6")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2015-1417.NASL
    descriptionFrom Red Hat Security Advisory 2015:1417 : Updated mailman packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Mailman is a program used to help manage e-mail discussion lists. It was found that mailman did not sanitize the list name before passing it to certain MTAs. A local attacker could use this flaw to execute arbitrary code as the user running mailman. (CVE-2015-2775) It was found that mailman stored private email messages in a world-readable directory. A local user could use this flaw to read private mailing list archives. (CVE-2002-0389) This update also fixes the following bugs : * Previously, it was impossible to configure Mailman in a way that Domain-based Message Authentication, Reporting & Conformance (DMARC) would recognize Sender alignment for Domain Key Identified Mail (DKIM) signatures. Consequently, Mailman list subscribers that belonged to a mail server with a
    last seen2020-06-01
    modified2020-06-02
    plugin id85105
    published2015-07-30
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85105
    titleOracle Linux 6 : mailman (ELSA-2015-1417)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-13924-1.NASL
    descriptionThis update for mailman fixes the following issues : Fixed a XSS vulnerability and information leak in user options CGI, which could be used to execute arbitrary scripts in the user
    last seen2020-03-18
    modified2019-01-08
    plugin id121005
    published2019-01-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121005
    titleSUSE SLES11 Security Update : mailman (SUSE-SU-2019:13924-1)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2015-1153.NASL
    descriptionFrom Red Hat Security Advisory 2015:1153 : Updated mailman packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Mailman is a program used to help manage email discussion lists. It was found that mailman did not sanitize the list name before passing it to certain MTAs. A local attacker could use this flaw to execute arbitrary code as the user running mailman. (CVE-2015-2775) This update also fixes the following bugs : * Previously, it was impossible to configure Mailman in a way that Domain-based Message Authentication, Reporting & Conformance (DMARC) would recognize Sender alignment for Domain Key Identified Mail (DKIM) signatures. Consequently, Mailman list subscribers that belonged to a mail server with a
    last seen2020-06-01
    modified2020-06-02
    plugin id84353
    published2015-06-24
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84353
    titleOracle Linux 7 : mailman (ELSA-2015-1153)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20150623_MAILMAN_ON_SL7_X.NASL
    description-- * It was found that mailman did not sanitize the list name before passing it to certain MTAs. A local attacker could use this flaw to execute arbitrary code as the user running mailman. (CVE-2015-2775) * Previously, it was impossible to configure Mailman in a way that Domain-based Message Authentication, Reporting &amp; Conformance (DMARC) would recognize Sender alignment for Domain Key Identified Mail (DKIM) signatures. Consequently, Mailman list subscribers that belonged to a mail server with a
    last seen2020-03-18
    modified2015-07-06
    plugin id84537
    published2015-07-06
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84537
    titleScientific Linux Security Update : mailman on SL7.x x86_64 (20150623)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2015-1153.NASL
    descriptionUpdated mailman packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Mailman is a program used to help manage email discussion lists. It was found that mailman did not sanitize the list name before passing it to certain MTAs. A local attacker could use this flaw to execute arbitrary code as the user running mailman. (CVE-2015-2775) This update also fixes the following bugs : * Previously, it was impossible to configure Mailman in a way that Domain-based Message Authentication, Reporting & Conformance (DMARC) would recognize Sender alignment for Domain Key Identified Mail (DKIM) signatures. Consequently, Mailman list subscribers that belonged to a mail server with a
    last seen2020-06-01
    modified2020-06-02
    plugin id84347
    published2015-06-24
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84347
    titleCentOS 7 : mailman (CESA-2015:1153)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-1153.NASL
    descriptionUpdated mailman packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Mailman is a program used to help manage email discussion lists. It was found that mailman did not sanitize the list name before passing it to certain MTAs. A local attacker could use this flaw to execute arbitrary code as the user running mailman. (CVE-2015-2775) This update also fixes the following bugs : * Previously, it was impossible to configure Mailman in a way that Domain-based Message Authentication, Reporting & Conformance (DMARC) would recognize Sender alignment for Domain Key Identified Mail (DKIM) signatures. Consequently, Mailman list subscribers that belonged to a mail server with a
    last seen2020-06-01
    modified2020-06-02
    plugin id84359
    published2015-06-24
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84359
    titleRHEL 7 : mailman (RHSA-2015:1153)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-1417.NASL
    descriptionUpdated mailman packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Mailman is a program used to help manage e-mail discussion lists. It was found that mailman did not sanitize the list name before passing it to certain MTAs. A local attacker could use this flaw to execute arbitrary code as the user running mailman. (CVE-2015-2775) It was found that mailman stored private email messages in a world-readable directory. A local user could use this flaw to read private mailing list archives. (CVE-2002-0389) This update also fixes the following bugs : * Previously, it was impossible to configure Mailman in a way that Domain-based Message Authentication, Reporting & Conformance (DMARC) would recognize Sender alignment for Domain Key Identified Mail (DKIM) signatures. Consequently, Mailman list subscribers that belonged to a mail server with a
    last seen2020-06-01
    modified2020-06-02
    plugin id84944
    published2015-07-23
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84944
    titleRHEL 6 : mailman (RHSA-2015:1417)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-5333.NASL
    descriptionUpdate to version 2.1.20. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-04-22
    plugin id82954
    published2015-04-22
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82954
    titleFedora 22 : mailman-2.1.20-1.fc22 (2015-5333)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2015-582.NASL
    descriptionIt was found that mailman did not sanitize the list name before passing it to certain MTAs. A local attacker could use this flaw to execute arbitrary code as the user running mailman. (CVE-2015-2775) It was found that mailman stored private email messages in a world-readable directory. A local user could use this flaw to read private mailing list archives. (CVE-2002-0389)
    last seen2020-06-01
    modified2020-06-02
    plugin id85455
    published2015-08-18
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/85455
    titleAmazon Linux AMI : mailman (ALAS-2015-582)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3214.NASL
    descriptionA path traversal vulnerability was discovered in Mailman, the mailing list manager. Installations using a transport script (such as postfix-to-mailman.py) to interface with their MTA instead of static aliases were vulnerable to a path traversal attack. To successfully exploit this, an attacker needs write access on the local file system.
    last seen2020-03-17
    modified2015-04-08
    plugin id82622
    published2015-04-08
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82622
    titleDebian DSA-3214-1 : mailman - security update
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20150722_MAILMAN_ON_SL6_X.NASL
    descriptionIt was found that mailman did not sanitize the list name before passing it to certain MTAs. A local attacker could use this flaw to execute arbitrary code as the user running mailman. (CVE-2015-2775) It was found that mailman stored private email messages in a world- readable directory. A local user could use this flaw to read private mailing list archives. (CVE-2002-0389) This update also fixes the following bugs : - Previously, it was impossible to configure Mailman in a way that Domain- based Message Authentication, Reporting &amp; Conformance (DMARC) would recognize Sender alignment for Domain Key Identified Mail (DKIM) signatures. Consequently, Mailman list subscribers that belonged to a mail server with a
    last seen2020-03-18
    modified2015-08-04
    plugin id85201
    published2015-08-04
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85201
    titleScientific Linux Security Update : mailman on SL6.x i386/x86_64 (20150722)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2015-1417.NASL
    descriptionUpdated mailman packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Mailman is a program used to help manage e-mail discussion lists. It was found that mailman did not sanitize the list name before passing it to certain MTAs. A local attacker could use this flaw to execute arbitrary code as the user running mailman. (CVE-2015-2775) It was found that mailman stored private email messages in a world-readable directory. A local user could use this flaw to read private mailing list archives. (CVE-2002-0389) This update also fixes the following bugs : * Previously, it was impossible to configure Mailman in a way that Domain-based Message Authentication, Reporting & Conformance (DMARC) would recognize Sender alignment for Domain Key Identified Mail (DKIM) signatures. Consequently, Mailman list subscribers that belonged to a mail server with a
    last seen2020-06-01
    modified2020-06-02
    plugin id85018
    published2015-07-28
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85018
    titleCentOS 6 : mailman (CESA-2015:1417)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2558-1.NASL
    descriptionIt was discovered that Mailman incorrectly handled special characters in list names. A local attacker could use this issue to perform a path traversal attack and execute arbitrary code as the Mailman user. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id82644
    published2015-04-08
    reporterUbuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82644
    titleUbuntu 12.04 LTS / 14.04 LTS / 14.10 : mailman vulnerability (USN-2558-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-5216.NASL
    descriptionUpdate to new version 2.1.20. Fix dependency on python-dns. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-05-04
    plugin id83196
    published2015-05-04
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83196
    titleFedora 21 : mailman-2.1.20-1.fc21 (2015-5216)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_A5F160FADEEE11E499F8080027EF73EC.NASL
    descriptionMark Sapiro reports : A path traversal vulnerability has been discovered and fixed. This vulnerability is only exploitable by a local user on a Mailman server where the suggested Exim transport, the Postfix postfix_to_mailman.py transport or some other programmatic MTA delivery not using aliases is employed.
    last seen2020-06-01
    modified2020-06-02
    plugin id82681
    published2015-04-10
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82681
    titleFreeBSD : mailman -- path traversal vulnerability (a5f160fa-deee-11e4-99f8-080027ef73ec)

Redhat

advisories
  • bugzilla
    id1229307
    title/etc/mailman has wrong permissions 0755 instead of 2775
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • commentmailman is earlier than 3:2.1.15-21.el7_1
        ovaloval:com.redhat.rhsa:tst:20151153001
      • commentmailman is signed with Red Hat redhatrelease2 key
        ovaloval:com.redhat.rhsa:tst:20110308002
    rhsa
    idRHSA-2015:1153
    released2015-06-23
    severityModerate
    titleRHSA-2015:1153: mailman security and bug fix update (Moderate)
  • bugzilla
    id1208059
    titleCVE-2015-2775 mailman: directory traversal in MTA transports that deliver programmatically
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 6 is installed
        ovaloval:com.redhat.rhba:tst:20111656003
      • commentmailman is earlier than 3:2.1.12-25.el6
        ovaloval:com.redhat.rhsa:tst:20151417001
      • commentmailman is signed with Red Hat redhatrelease2 key
        ovaloval:com.redhat.rhsa:tst:20110308002
    rhsa
    idRHSA-2015:1417
    released2015-07-20
    severityModerate
    titleRHSA-2015:1417: mailman security and bug fix update (Moderate)
rpms
  • mailman-3:2.1.15-21.ael7b_1
  • mailman-3:2.1.15-21.el7_1
  • mailman-debuginfo-3:2.1.15-21.ael7b_1
  • mailman-debuginfo-3:2.1.15-21.el7_1
  • mailman-3:2.1.12-25.el6
  • mailman-debuginfo-3:2.1.12-25.el6