[Pkg-mailman-hackers] Bug#1000367: mailman: CVE-2021-43331 (XSS) and CVE-2021-43332 (moderator can discover admin password)
Thomas Arendsen Hein
thomas at intevation.de
Mon Nov 22 08:09:06 GMT 2021
Package: mailman
Version: 1:2.1.29-1+deb10u2
Severity: important
Hi!
Mailman 2.1.36 an 2.1.37 have been released to fix CVE-2021-43331
(XSS) and CVE-2021-43332 (moderator can discover admin password):
https://mail.python.org/archives/list/mailman-announce@python.org/thread/I2X7PSFXIEPLM3UMKZMGOEO3UFYETGRL/
Can you update the packages for Debian buster (and ideally for
stretch LTS, too)?
Thank you for maintaining the package, this has been very helpful.
Best Regards,
Thomas Arendsen Hein
-- System Information:
Debian Release: 10.11
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-18-amd64 (SMP w/32 CPU cores)
Locale: LANG=en_US.utf-8, LC_CTYPE=en_US.utf-8 (charmap=UTF-8), LANGUAGE=en_US.utf-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages mailman depends on:
pn apache2 | httpd <none>
ii cron [cron-daemon] 3.0pl1-134+deb10u1
ii debconf [debconf-2.0] 1.5.71+deb10u1
ii libc6 2.28-10
ii logrotate 3.14.0-4
ii lsb-base 10.2019051400
ii python 2.7.16-1
ii python-dnspython 1.16.0-1+deb10u1
ii ucf 3.0038+nmu1
Versions of packages mailman recommends:
ii postfix [mail-transport-agent] 3.4.14-0+deb10u1
Versions of packages mailman suggests:
pn listadmin <none>
ii lynx 2.8.9rel.1-3+deb10u1
pn mailman3-full <none>
pn spamassassin <none>
--
Thomas Arendsen Hein <thomas at intevation.de>
OpenPGP key: https://intevation.de/~thomas/thomas_pgp.asc (0xD45DE28FF3A2250C)
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
More information about the Pkg-mailman-hackers
mailing list