—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1848
hyperkitty security update
31 May 2021
===========================================================================
AusCERT Security Bulletin Summary
———————————
Product: hyperkitty
Publisher: Debian
Operating System: Debian GNU/Linux
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Access Confidential Data — Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-33038
Original Bulletin:
http://www.debian.org/security/2021/dsa-4922
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running hyperkitty check for an updated version of the software for
their operating system.
– ————————–BEGIN INCLUDED TEXT——————–
– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512
– – ————————————————————————-
Debian Security Advisory DSA-4922-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 29, 2021 https://www.debian.org/security/faq
– – ————————————————————————-
Package : hyperkitty
CVE ID : CVE-2021-33038
Amir Sarabadani and Kunal Mehta discovered that the import functionality
of Hyperkitty, the web user interface to access Mailman 3 archives, did
not restrict the visibility of private archives during the import, i.e.
that during the import of a private Mailman 2 archive the archive was
publicly accessible until the import completed.
For the stable distribution (buster), this problem has been fixed in
version 1.2.2-1+deb10u1.
We recommend that you upgrade your hyperkitty packages.
For the detailed security status of hyperkitty please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/hyperkitty
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
– —–BEGIN PGP SIGNATURE—–
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmCyGwMACgkQEMKTtsN8
TjYNeA//aKIOxYnECImzLoOsdq7bZ0EkklzMOExDUDj5YkPuyoU5u4UXT3ulllAL
sd2q8PHw1SNp873juSEYTI9nqnHf8VmnL9oRp1Wr7MIVT6pxIOUhGQZCx4nMEih8
ovF9ZrSeyGeZH3jEUp+P1N9LNlEPHqLXb5xIRmDgv/WdBhZklBdGAzXqQ2A2bBpa
QiOoE5K25F3n/66PuPhzbiYnjmdvbTWOVJO0mma4d0ITHRED+tTGTQyG6sDEi+mo
83LNdAh/Ytvo3M5AODiJn/EUMnzegBydMp758QFLuvheTkw1e1QuPQk1M3Y9nHw/
DMOyR8rwSEUl1REDVZTol2RTX83HH7wRiLNK4ImTqJkzbV2+1cE2Kfg/0T4CX1FH
Wuey7dhLusOlkkSpL6T8xRI2rwV6xDkLM7sYspzn7JTHzRjkqDPjEafOBXvNekvu
VIGaIdZpDPQ6C3S82VtMwInDfCh8mxjj2JcZgxj0QJTVwYJZI072P3BbMoiwA/ce
WJGOtebbtxpizjmxCOQaSgnC5dow8oH/5lIVu30z09+j1cke8SCCrYmN8FxIs3Qi
nrjX+yCnZ2JSrX1L1o59WWaQkeEcRwvNwF+ggaQbt+NmFXVxBlUGCu1qd9y/IWMj
KtB5440D+dmxiZaUoltZ+84zU5HHoqi+1nE3k0Nkj64LS5vY+iA=
=uZSt
– —–END PGP SIGNATURE—–
– ————————–END INCLUDED TEXT——————–
You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYLRKFuNLKJtyKPYoAQi6RhAAl/RO2ZzLvcHlg3i6HpDMIOKnuTGq5CMn
t4goORlEHBcm/hO9GTvjJcoXFZOl3lNZ+x/77XrAbGNdRQTOmhe2jsmz366MjciT
87B89OGJG2yZLfQC3uTTOE8X887PsJXj2oTq/6ppEJm6M4QD9Z5yaBHftVYWxmyA
D1M0y4CMEHdUeq1tgDoMaPGKg7CyHKGD/5viuut87PFzYqTUg2jEvHE97D9OWEoa
qjOWw1LGSj70HbpiUHnHKKNsVtwoRqYR9otgvkRFwYNEAw9X4l50HIwr2Loi9uIw
JnZHAfvGV5pt2omej3xOmTHWJF4Qb+wWEPschc8Nplh1Rn5XP43qV2TFGchh1dkT
zmamhZUaFdpUR230W1AHXZxaN5LJ/5bijZexS+bz79fXoaKfQ4XUOHEPJaJjJrjY
0tE65IspJdAaE22T+ehItdXp0PHQwYy9ztOcP1NL9ZIcWox4kQijfQswoiea1C99
1rQ4YEpbbWaWPNG2SBGjxDc8sRUwSbiQxa6PGgLztpybG6BN7AbMc+JNQ67lHSot
39d0rTuQMDZFc4bgm6cnvk0k0BmyPyodh6ma2TZ6UapN3QMtsI2QwsVtMnFi4Wbe
B4Hg4iyG8YkKhYyTEasRDWRt7ASfDzrWF+GzrCrpF/6RayDb8tVD5fvVE4f5Y6Zo
cOKjNcxlN9Q=
=NPGf
—–END PGP SIGNATURE—–
The post ESB-2021.1848 – [UNIX/Linux][Debian] hyperkitty: Access confidential data – Remote/unauthenticated appeared first on Malware Devil.
https://malwaredevil.com/2021/05/31/esb-2021-1848-unix-linuxdebian-hyperkitty-access-confidential-data-remote-unauthenticated/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-1848-unix-linuxdebian-hyperkitty-access-confidential-data-remote-unauthenticated
No comments:
Post a Comment