[Pkg-mailman-hackers] Bug#1001685: mailman: CVE-2021-44227 and updated fix for CVE-2021-42097
Salvatore Bonaccorso
carnil at debian.org
Tue Dec 14 20:13:00 GMT 2021
Control: tags -1 + upstream security
Hi Thomas,
On Tue, Dec 14, 2021 at 11:23:53AM +0100, Thomas Arendsen Hein wrote:
> Package: mailman
> Version: 1:2.1.29-1+deb10u2
> Severity: important
>
> Hi!
>
> Mailman 2.1.38 has been released to fix CVE-2021-44227 (a list
> member or moderator can get a CSRF token and craft an admin request),
> and 2.1.39 has been released to fix a regression in above fix and
> to update the fix for CVE-2021-42097.
>
> https://mail.python.org/archives/list/mailman-announce@python.org/thread/D54X2LXETPMVP5KZNM2WP6Z6UOPJXSVD/
> Can you update the packages for Debian buster (and ideally for
> stretch LTS, too)?
See: https://bugs.debian.org/1001556 so it's pending for the next
buster point release.
> In bug report #1000367 an updated package 1:2.1.29-1+deb10u3 has
> been created, but it is not yet available via buster-security.
> That's why I have marked this ticket with "1:2.1.29-1+deb10u2"
> above.
Samewise: https://bugs.debian.org/1000386
So in summary, all the CVE fixes are already pending for the next
point release for buster.
Hope this helps,
Regards,
Salvatore
More information about the Pkg-mailman-hackers
mailing list