[Pkg-mailman-hackers] Bug#1001685: mailman: CVE-2021-44227 and updated fix for CVE-2021-42097
Thomas Arendsen Hein
thomas at intevation.de
Tue Dec 14 10:23:53 GMT 2021
Package: mailman
Version: 1:2.1.29-1+deb10u2
Severity: important
Hi!
Mailman 2.1.38 has been released to fix CVE-2021-44227 (a list
member or moderator can get a CSRF token and craft an admin request),
and 2.1.39 has been released to fix a regression in above fix and
to update the fix for CVE-2021-42097.
https://mail.python.org/archives/list/mailman-announce@python.org/thread/D54X2LXETPMVP5KZNM2WP6Z6UOPJXSVD/
Can you update the packages for Debian buster (and ideally for
stretch LTS, too)?
In bug report #1000367 an updated package 1:2.1.29-1+deb10u3 has
been created, but it is not yet available via buster-security.
That's why I have marked this ticket with "1:2.1.29-1+deb10u2"
above.
Thank you,
Thomas Arendsen Hein
--
Thomas Arendsen Hein <thomas at intevation.de>
OpenPGP key: https://intevation.de/~thomas/thomas_pgp.asc (0xD45DE28FF3A2250C)
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
More information about the Pkg-mailman-hackers
mailing list