Red Hat Product Errata RHSA-2021:4826 - Security Advisory
Issued:
2021-11-23
Updated:
2021-11-23

RHSA-2021:4826 - Security Advisory

Synopsis

Important: mailman:2.1 security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for the mailman:2.1 module is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mailman is a program used to help manage e-mail discussion lists.

Security Fix(es):

  • mailman: CSRF token bypass allows to perform CSRF attacks and account takeover (CVE-2021-42097)
  • mailman: CSRF token derived from admin password allows offline brute-force attack (CVE-2021-42096)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux for x86_64 8 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.8 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.8 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.6 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.6 x86_64
  • Red Hat Enterprise Linux Server - AUS 8.6 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 8 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.8 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.6 s390x
  • Red Hat Enterprise Linux for Power, little endian 8 ppc64le
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.8 ppc64le
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.6 ppc64le
  • Red Hat Enterprise Linux Server - TUS 8.8 x86_64
  • Red Hat Enterprise Linux Server - TUS 8.6 x86_64
  • Red Hat Enterprise Linux for ARM 64 8 aarch64
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.8 aarch64
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.6 aarch64
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8 ppc64le
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8 x86_64
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6 x86_64

Fixes

  • BZ - 2020568 - CVE-2021-42097 mailman: CSRF token bypass allows to perform CSRF attacks and account takeover
  • BZ - 2020575 - CVE-2021-42096 mailman: CSRF token derived from admin password allows offline brute-force attack

Red Hat Enterprise Linux for x86_64 8

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
x86_64
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 131e19719237129a7265592aa229630be8577711fec23b834916f0eab7d0ca28
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 33df88d7c292adbc9985f0f1243aabe7ac70fea67f044f930f65a2dafdd4f4e4
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 742d531fd90847d55c8675c3dae29e7202301b173eb05c2c60a2ad1b2ba681ca

Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.8

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
x86_64
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 131e19719237129a7265592aa229630be8577711fec23b834916f0eab7d0ca28
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 33df88d7c292adbc9985f0f1243aabe7ac70fea67f044f930f65a2dafdd4f4e4
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 742d531fd90847d55c8675c3dae29e7202301b173eb05c2c60a2ad1b2ba681ca

Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.8

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
x86_64
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 131e19719237129a7265592aa229630be8577711fec23b834916f0eab7d0ca28
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 33df88d7c292adbc9985f0f1243aabe7ac70fea67f044f930f65a2dafdd4f4e4
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 742d531fd90847d55c8675c3dae29e7202301b173eb05c2c60a2ad1b2ba681ca

Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.6

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
x86_64
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 131e19719237129a7265592aa229630be8577711fec23b834916f0eab7d0ca28
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 33df88d7c292adbc9985f0f1243aabe7ac70fea67f044f930f65a2dafdd4f4e4
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 742d531fd90847d55c8675c3dae29e7202301b173eb05c2c60a2ad1b2ba681ca

Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.6

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
x86_64
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 131e19719237129a7265592aa229630be8577711fec23b834916f0eab7d0ca28
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 33df88d7c292adbc9985f0f1243aabe7ac70fea67f044f930f65a2dafdd4f4e4
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 742d531fd90847d55c8675c3dae29e7202301b173eb05c2c60a2ad1b2ba681ca

Red Hat Enterprise Linux Server - AUS 8.6

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
x86_64
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 131e19719237129a7265592aa229630be8577711fec23b834916f0eab7d0ca28
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 33df88d7c292adbc9985f0f1243aabe7ac70fea67f044f930f65a2dafdd4f4e4
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 742d531fd90847d55c8675c3dae29e7202301b173eb05c2c60a2ad1b2ba681ca

Red Hat Enterprise Linux for IBM z Systems 8

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
s390x
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.s390x.rpm SHA-256: 251494357823f0aa993fff1f1ab58e429b7cfe1db20c76e7bb47f15cd4faea23
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.s390x.rpm SHA-256: d0f0da31147b2e0eca25c296d6f1d052afda36fde4aeac0ce6c382c53344157d
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.s390x.rpm SHA-256: 97aaaaf7433f66c5049d0165a8fd57fe3ae33c7008bb4560e318c11caac2611c

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.8

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
s390x
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.s390x.rpm SHA-256: 251494357823f0aa993fff1f1ab58e429b7cfe1db20c76e7bb47f15cd4faea23
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.s390x.rpm SHA-256: d0f0da31147b2e0eca25c296d6f1d052afda36fde4aeac0ce6c382c53344157d
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.s390x.rpm SHA-256: 97aaaaf7433f66c5049d0165a8fd57fe3ae33c7008bb4560e318c11caac2611c

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.6

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
s390x
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.s390x.rpm SHA-256: 251494357823f0aa993fff1f1ab58e429b7cfe1db20c76e7bb47f15cd4faea23
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.s390x.rpm SHA-256: d0f0da31147b2e0eca25c296d6f1d052afda36fde4aeac0ce6c382c53344157d
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.s390x.rpm SHA-256: 97aaaaf7433f66c5049d0165a8fd57fe3ae33c7008bb4560e318c11caac2611c

Red Hat Enterprise Linux for Power, little endian 8

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
ppc64le
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm SHA-256: 49301417db2f3cba462008e852393fb7861423abf93415011eacc35e2fdb270a
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm SHA-256: d9b15d2a8c6ddd1bb7afa870db71c5b4b8bd9251462862a590da8f079c59fefa
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm SHA-256: c070dbad29efe064584801abf0625910b67d7d3221595299ca6933d220d8288c

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.8

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
ppc64le
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm SHA-256: 49301417db2f3cba462008e852393fb7861423abf93415011eacc35e2fdb270a
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm SHA-256: d9b15d2a8c6ddd1bb7afa870db71c5b4b8bd9251462862a590da8f079c59fefa
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm SHA-256: c070dbad29efe064584801abf0625910b67d7d3221595299ca6933d220d8288c

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.6

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
ppc64le
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm SHA-256: 49301417db2f3cba462008e852393fb7861423abf93415011eacc35e2fdb270a
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm SHA-256: d9b15d2a8c6ddd1bb7afa870db71c5b4b8bd9251462862a590da8f079c59fefa
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm SHA-256: c070dbad29efe064584801abf0625910b67d7d3221595299ca6933d220d8288c

Red Hat Enterprise Linux Server - TUS 8.8

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
x86_64
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 131e19719237129a7265592aa229630be8577711fec23b834916f0eab7d0ca28
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 33df88d7c292adbc9985f0f1243aabe7ac70fea67f044f930f65a2dafdd4f4e4
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 742d531fd90847d55c8675c3dae29e7202301b173eb05c2c60a2ad1b2ba681ca

Red Hat Enterprise Linux Server - TUS 8.6

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
x86_64
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 131e19719237129a7265592aa229630be8577711fec23b834916f0eab7d0ca28
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 33df88d7c292adbc9985f0f1243aabe7ac70fea67f044f930f65a2dafdd4f4e4
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 742d531fd90847d55c8675c3dae29e7202301b173eb05c2c60a2ad1b2ba681ca

Red Hat Enterprise Linux for ARM 64 8

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
aarch64
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.aarch64.rpm SHA-256: cf69380605041a6f22351628c0f5e6fa36c50251a719bf70a57286ac6cfd6b23
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.aarch64.rpm SHA-256: ffb9f7e604cc740e80aa6d01a1367a43e6ebdc047a6b3cd1e815ca84f412722b
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.aarch64.rpm SHA-256: 281788674c155773d5a9de5d822a57296aafc035c065f1d9b1e7ac5b488b30fd

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.8

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
aarch64
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.aarch64.rpm SHA-256: cf69380605041a6f22351628c0f5e6fa36c50251a719bf70a57286ac6cfd6b23
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.aarch64.rpm SHA-256: ffb9f7e604cc740e80aa6d01a1367a43e6ebdc047a6b3cd1e815ca84f412722b
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.aarch64.rpm SHA-256: 281788674c155773d5a9de5d822a57296aafc035c065f1d9b1e7ac5b488b30fd

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.6

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
aarch64
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.aarch64.rpm SHA-256: cf69380605041a6f22351628c0f5e6fa36c50251a719bf70a57286ac6cfd6b23
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.aarch64.rpm SHA-256: ffb9f7e604cc740e80aa6d01a1367a43e6ebdc047a6b3cd1e815ca84f412722b
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.aarch64.rpm SHA-256: 281788674c155773d5a9de5d822a57296aafc035c065f1d9b1e7ac5b488b30fd

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
ppc64le
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm SHA-256: 49301417db2f3cba462008e852393fb7861423abf93415011eacc35e2fdb270a
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm SHA-256: d9b15d2a8c6ddd1bb7afa870db71c5b4b8bd9251462862a590da8f079c59fefa
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm SHA-256: c070dbad29efe064584801abf0625910b67d7d3221595299ca6933d220d8288c

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
ppc64le
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm SHA-256: 49301417db2f3cba462008e852393fb7861423abf93415011eacc35e2fdb270a
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm SHA-256: d9b15d2a8c6ddd1bb7afa870db71c5b4b8bd9251462862a590da8f079c59fefa
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.ppc64le.rpm SHA-256: c070dbad29efe064584801abf0625910b67d7d3221595299ca6933d220d8288c

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
x86_64
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 131e19719237129a7265592aa229630be8577711fec23b834916f0eab7d0ca28
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 33df88d7c292adbc9985f0f1243aabe7ac70fea67f044f930f65a2dafdd4f4e4
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 742d531fd90847d55c8675c3dae29e7202301b173eb05c2c60a2ad1b2ba681ca

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6

SRPM
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.src.rpm SHA-256: b513b7e634561b13c12b5eb664854cee92e48f40603baca66ed90d2a1a996ae8
x86_64
mailman-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 131e19719237129a7265592aa229630be8577711fec23b834916f0eab7d0ca28
mailman-debuginfo-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 33df88d7c292adbc9985f0f1243aabe7ac70fea67f044f930f65a2dafdd4f4e4
mailman-debugsource-2.1.29-12.module+el8.5.0+13211+e8845b76.1.x86_64.rpm SHA-256: 742d531fd90847d55c8675c3dae29e7202301b173eb05c2c60a2ad1b2ba681ca

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.