{"affected":[{"ecosystem_specific":{"binaries":[{"mailman":"2.1.35-bp152.7.6.1"}]},"package":{"ecosystem":"SUSE:Package Hub 15 SP2","name":"mailman","purl":"pkg:rpm/suse/mailman&distro=SUSE%20Package%20Hub%2015%20SP2"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.1.35-bp152.7.6.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for mailman fixes the following issues:\n\nUpdate to 2.1.35 to fix 2 security issues: \n\n- A potential for for a list member to carry out an off-line brute force\n  attack to obtain the list admin password has been reported by Andre\n  Protas, Richard Cloke and Andy Nuttall of Apple.  This is fixed.\n  CVE-2021-42096  (boo#1191959, LP:#1947639)\n \n- A CSRF attack via the user options page could allow takeover of a users\n  account.  This is fixed.  CVE-2021-42097  (boo#1191960, LP:#1947640)\n- make package build reproducible (boo#1047218)\n\nThis update was imported from the openSUSE:Leap:15.2:Update update project.","id":"openSUSE-SU-2021:1452-1","modified":"2021-11-05T15:06:22Z","published":"2021-11-05T15:06:22Z","references":[{"type":"ADVISORY","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FJE7PQHJDJVNG4MP75G5GY65ABFE2RAP/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1047218"},{"type":"REPORT","url":"https://bugzilla.suse.com/1191959"},{"type":"REPORT","url":"https://bugzilla.suse.com/1191960"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-42096"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-42097"}],"related":["CVE-2021-42096","CVE-2021-42097"],"summary":"Security update for mailman","upstream":["CVE-2021-42096","CVE-2021-42097"]}