Issued:: 2021-11-23
Updated:: 2021-11-23

RHSA-2021:4826 - Security Advisory

Overview
Updated Packages

Synopsis

Important: mailman:2.1 security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for the mailman:2.1 module is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mailman is a program used to help manage e-mail discussion lists.

Security Fix(es):

mailman: CSRF token bypass allows to perform CSRF attacks and account takeover (CVE-2021-42097)
mailman: CSRF token derived from admin password allows offline brute-force attack (CVE-2021-42096)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Enterprise Linux for x86_64 8 x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.8 x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.6 x86_64
Red Hat Enterprise Linux Server - AUS 8.6 x86_64
Red Hat Enterprise Linux for IBM z Systems 8 s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.8 s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.6 s390x
Red Hat Enterprise Linux for Power, little endian 8 ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.8 ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.6 ppc64le
Red Hat Enterprise Linux Server - TUS 8.8 x86_64
Red Hat Enterprise Linux Server - TUS 8.6 x86_64
Red Hat Enterprise Linux for ARM 64 8 aarch64
Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.8 aarch64
Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.6 aarch64
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8 ppc64le
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8 x86_64
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6 x86_64

Fixes

BZ - 2020568 - CVE-2021-42097 mailman: CSRF token bypass allows to perform CSRF attacks and account takeover
BZ - 2020575 - CVE-2021-42096 mailman: CSRF token derived from admin password allows offline brute-force attack

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux for x86_64 8

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm	SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
x86_64
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm	SHA-256: 131e19719237129a7265592aa229630be8577711fec23b834916f0eab7d0ca28
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm	SHA-256: 33df88d7c292adbc9985f0f1243aabe7ac70fea67f044f930f65a2dafdd4f4e4
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm	SHA-256: 742d531fd90847d55c8675c3dae29e7202301b173eb05c2c60a2ad1b2ba681ca

Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.8

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm	SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
x86_64
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm	SHA-256: 131e19719237129a7265592aa229630be8577711fec23b834916f0eab7d0ca28
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm	SHA-256: 33df88d7c292adbc9985f0f1243aabe7ac70fea67f044f930f65a2dafdd4f4e4
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm	SHA-256: 742d531fd90847d55c8675c3dae29e7202301b173eb05c2c60a2ad1b2ba681ca

Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.6

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm	SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
x86_64
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm	SHA-256: 131e19719237129a7265592aa229630be8577711fec23b834916f0eab7d0ca28
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm	SHA-256: 33df88d7c292adbc9985f0f1243aabe7ac70fea67f044f930f65a2dafdd4f4e4
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm	SHA-256: 742d531fd90847d55c8675c3dae29e7202301b173eb05c2c60a2ad1b2ba681ca

Red Hat Enterprise Linux Server - AUS 8.6

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm	SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
x86_64
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm	SHA-256: 131e19719237129a7265592aa229630be8577711fec23b834916f0eab7d0ca28
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm	SHA-256: 33df88d7c292adbc9985f0f1243aabe7ac70fea67f044f930f65a2dafdd4f4e4
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm	SHA-256: 742d531fd90847d55c8675c3dae29e7202301b173eb05c2c60a2ad1b2ba681ca

Red Hat Enterprise Linux for IBM z Systems 8

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm	SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
s390x
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.s390x.rpm	SHA-256: 251494357823f0aa993fff1f1ab58e429b7cfe1db20c76e7bb47f15cd4faea23
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.s390x.rpm	SHA-256: d0f0da31147b2e0eca25c296d6f1d052afda36fde4aeac0ce6c382c53344157d
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.s390x.rpm	SHA-256: 97aaaaf7433f66c5049d0165a8fd57fe3ae33c7008bb4560e318c11caac2611c

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.8

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm	SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
s390x
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.s390x.rpm	SHA-256: 251494357823f0aa993fff1f1ab58e429b7cfe1db20c76e7bb47f15cd4faea23
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.s390x.rpm	SHA-256: d0f0da31147b2e0eca25c296d6f1d052afda36fde4aeac0ce6c382c53344157d
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.s390x.rpm	SHA-256: 97aaaaf7433f66c5049d0165a8fd57fe3ae33c7008bb4560e318c11caac2611c

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.6

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm	SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
s390x
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.s390x.rpm	SHA-256: 251494357823f0aa993fff1f1ab58e429b7cfe1db20c76e7bb47f15cd4faea23
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.s390x.rpm	SHA-256: d0f0da31147b2e0eca25c296d6f1d052afda36fde4aeac0ce6c382c53344157d
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.s390x.rpm	SHA-256: 97aaaaf7433f66c5049d0165a8fd57fe3ae33c7008bb4560e318c11caac2611c

Red Hat Enterprise Linux for Power, little endian 8

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm	SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
ppc64le
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm	SHA-256: 49301417db2f3cba462008e852393fb7861423abf93415011eacc35e2fdb270a
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm	SHA-256: d9b15d2a8c6ddd1bb7afa870db71c5b4b8bd9251462862a590da8f079c59fefa
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm	SHA-256: c070dbad29efe064584801abf0625910b67d7d3221595299ca6933d220d8288c

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.8

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm	SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
ppc64le
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm	SHA-256: 49301417db2f3cba462008e852393fb7861423abf93415011eacc35e2fdb270a
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm	SHA-256: d9b15d2a8c6ddd1bb7afa870db71c5b4b8bd9251462862a590da8f079c59fefa
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm	SHA-256: c070dbad29efe064584801abf0625910b67d7d3221595299ca6933d220d8288c

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.6

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm	SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
ppc64le
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm	SHA-256: 49301417db2f3cba462008e852393fb7861423abf93415011eacc35e2fdb270a
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm	SHA-256: d9b15d2a8c6ddd1bb7afa870db71c5b4b8bd9251462862a590da8f079c59fefa
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm	SHA-256: c070dbad29efe064584801abf0625910b67d7d3221595299ca6933d220d8288c

Red Hat Enterprise Linux Server - TUS 8.8

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm	SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
x86_64
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm	SHA-256: 131e19719237129a7265592aa229630be8577711fec23b834916f0eab7d0ca28
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm	SHA-256: 33df88d7c292adbc9985f0f1243aabe7ac70fea67f044f930f65a2dafdd4f4e4
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm	SHA-256: 742d531fd90847d55c8675c3dae29e7202301b173eb05c2c60a2ad1b2ba681ca

Red Hat Enterprise Linux Server - TUS 8.6

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm	SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
x86_64
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm	SHA-256: 131e19719237129a7265592aa229630be8577711fec23b834916f0eab7d0ca28
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm	SHA-256: 33df88d7c292adbc9985f0f1243aabe7ac70fea67f044f930f65a2dafdd4f4e4
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm	SHA-256: 742d531fd90847d55c8675c3dae29e7202301b173eb05c2c60a2ad1b2ba681ca

Red Hat Enterprise Linux for ARM 64 8

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm	SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
aarch64
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.aarch64.rpm	SHA-256: cf69380605041a6f22351628c0f5e6fa36c50251a719bf70a57286ac6cfd6b23
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.aarch64.rpm	SHA-256: ffb9f7e604cc740e80aa6d01a1367a43e6ebdc047a6b3cd1e815ca84f412722b
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.aarch64.rpm	SHA-256: 281788674c155773d5a9de5d822a57296aafc035c065f1d9b1e7ac5b488b30fd

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.8

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm	SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
aarch64
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.aarch64.rpm	SHA-256: cf69380605041a6f22351628c0f5e6fa36c50251a719bf70a57286ac6cfd6b23
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.aarch64.rpm	SHA-256: ffb9f7e604cc740e80aa6d01a1367a43e6ebdc047a6b3cd1e815ca84f412722b
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.aarch64.rpm	SHA-256: 281788674c155773d5a9de5d822a57296aafc035c065f1d9b1e7ac5b488b30fd

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.6

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm	SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
aarch64
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.aarch64.rpm	SHA-256: cf69380605041a6f22351628c0f5e6fa36c50251a719bf70a57286ac6cfd6b23
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.aarch64.rpm	SHA-256: ffb9f7e604cc740e80aa6d01a1367a43e6ebdc047a6b3cd1e815ca84f412722b
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.aarch64.rpm	SHA-256: 281788674c155773d5a9de5d822a57296aafc035c065f1d9b1e7ac5b488b30fd

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm	SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
ppc64le
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm	SHA-256: 49301417db2f3cba462008e852393fb7861423abf93415011eacc35e2fdb270a
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm	SHA-256: d9b15d2a8c6ddd1bb7afa870db71c5b4b8bd9251462862a590da8f079c59fefa
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm	SHA-256: c070dbad29efe064584801abf0625910b67d7d3221595299ca6933d220d8288c

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm	SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
ppc64le
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm	SHA-256: 49301417db2f3cba462008e852393fb7861423abf93415011eacc35e2fdb270a
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm	SHA-256: d9b15d2a8c6ddd1bb7afa870db71c5b4b8bd9251462862a590da8f079c59fefa
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm	SHA-256: c070dbad29efe064584801abf0625910b67d7d3221595299ca6933d220d8288c

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm	SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
x86_64
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm	SHA-256: 131e19719237129a7265592aa229630be8577711fec23b834916f0eab7d0ca28
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm	SHA-256: 33df88d7c292adbc9985f0f1243aabe7ac70fea67f044f930f65a2dafdd4f4e4
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm	SHA-256: 742d531fd90847d55c8675c3dae29e7202301b173eb05c2c60a2ad1b2ba681ca

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm	SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
x86_64
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm	SHA-256: 131e19719237129a7265592aa229630be8577711fec23b834916f0eab7d0ca28
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm	SHA-256: 33df88d7c292adbc9985f0f1243aabe7ac70fea67f044f930f65a2dafdd4f4e4
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm	SHA-256: 742d531fd90847d55c8675c3dae29e7202301b173eb05c2c60a2ad1b2ba681ca

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.