摘要:
mailman security update
安全等级: High
公告ID: KylinSec-SA-2022-2096
发布日期: 2022年9月23日
Mailman is free software for managing electronic mail discussion and e-newsletter lists. Mailman is integrated with the web, making it easy for users to manage their accounts and for list owners to administer their lists. Mailman supports built-in archiving, automatic bounce processing, content filtering, digest delivery, spam filters, and more.
Security Fix(es):
In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password. This could potentially be cracked by a moderator via an offline brute-force attack.(CVE-2021-43332)
In GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user options page can execute arbitrary JavaScript for XSS.(CVE-2021-43331)
In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or make other changes.(CVE-2021-44227)
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2021-43332 | KY3.4-5A | mailman | Fixed |
| CVE-2021-43331 | KY3.4-5A | mailman | Fixed |
| CVE-2021-44227 | KY3.4-5A | mailman | Fixed |
| 软件名称 | 架构 | 版本号 |
|---|---|---|
| mailman | x86_64 | 2.1.36-2.kb2.ky3 |
| mailman | aarch64 | 2.1.36-2.kb2.ky3 |
方法一:下载安装包进行升级安装
1、通过下载链接下载需要升级的升级包保存,如 xxx.rpm
2、通过rpm命令升级,如 rpm -Uvh xxx.rpm
方法二:通过软件源进行升级安装
1、保持能够连接上互联网
2、通过yum命令升级指定的包,如 yum install 包名
