[Pkg-mailman-hackers] Bug#1001685: mailman: CVE-2021-44227 and updated fix for CVE-2021-42097
Salvatore Bonaccorso
carnil at debian.org
Tue Dec 14 20:40:44 GMT 2021
Hi Thomas,
On Tue, Dec 14, 2021 at 09:13:02PM +0100, Salvatore Bonaccorso wrote:
> Control: tags -1 + upstream security
>
> Hi Thomas,
>
> On Tue, Dec 14, 2021 at 11:23:53AM +0100, Thomas Arendsen Hein wrote:
> > Package: mailman
> > Version: 1:2.1.29-1+deb10u2
> > Severity: important
> >
> > Hi!
> >
> > Mailman 2.1.38 has been released to fix CVE-2021-44227 (a list
> > member or moderator can get a CSRF token and craft an admin request),
> > and 2.1.39 has been released to fix a regression in above fix and
> > to update the fix for CVE-2021-42097.
> >
> > https://mail.python.org/archives/list/mailman-announce@python.org/thread/D54X2LXETPMVP5KZNM2WP6Z6UOPJXSVD/
> > Can you update the packages for Debian buster (and ideally for
> > stretch LTS, too)?
>
> See: https://bugs.debian.org/1001556 so it's pending for the next
> buster point release.
>
> > In bug report #1000367 an updated package 1:2.1.29-1+deb10u3 has
> > been created, but it is not yet available via buster-security.
> > That's why I have marked this ticket with "1:2.1.29-1+deb10u2"
> > above.
>
> Samewise: https://bugs.debian.org/1000386
>
> So in summary, all the CVE fixes are already pending for the next
> point release for buster.
Btw, that said, I would appreciate if the proposed packages get some
additional testing exposure.
I will try to provide in the next days as well a followup to the
additional regression fix and improvement bugfix mentioned from the
2.1.39 release.
Regards,
Salvatore
More information about the Pkg-mailman-hackers
mailing list