[Pkg-mailman-hackers] Bug#1001685: mailman: CVE-2021-44227 and updated fix for CVE-2021-42097

Salvatore Bonaccorso carnil at debian.org
Thu Jan 6 05:51:34 GMT 2022


Control: forwarded -1 https://bugs.launchpad.net/mailman/+bug/1954694

Hi Thomas,

On Tue, Dec 14, 2021 at 09:40:44PM +0100, Salvatore Bonaccorso wrote:
> Hi Thomas,
> 
> On Tue, Dec 14, 2021 at 09:13:02PM +0100, Salvatore Bonaccorso wrote:
> > Control: tags -1 + upstream security
> > 
> > Hi Thomas,
> > 
> > On Tue, Dec 14, 2021 at 11:23:53AM +0100, Thomas Arendsen Hein wrote:
> > > Package: mailman
> > > Version: 1:2.1.29-1+deb10u2
> > > Severity: important
> > > 
> > > Hi!
> > > 
> > > Mailman 2.1.38 has been released to fix CVE-2021-44227 (a list
> > > member or moderator can get a CSRF token and craft an admin request),
> > > and 2.1.39 has been released to fix a regression in above fix and
> > > to update the fix for CVE-2021-42097.
> > > 
> > > https://mail.python.org/archives/list/mailman-announce@python.org/thread/D54X2LXETPMVP5KZNM2WP6Z6UOPJXSVD/
> > > Can you update the packages for Debian buster (and ideally for
> > > stretch LTS, too)?
> > 
> > See: https://bugs.debian.org/1001556 so it's pending for the next
> > buster point release.
> > 
> > > In bug report #1000367 an updated package 1:2.1.29-1+deb10u3 has
> > > been created, but it is not yet available via buster-security.
> > > That's why I have marked this ticket with "1:2.1.29-1+deb10u2"
> > > above.
> > 
> > Samewise: https://bugs.debian.org/1000386 
> > 
> > So in summary, all the CVE fixes are already pending for the next
> > point release for buster.
> 
> Btw, that said, I would appreciate if the proposed packages get some
> additional testing exposure.
> 
> I will try to provide in the next days as well a followup to the
> additional regression fix and improvement bugfix mentioned from the
> 2.1.39 release.

Friendly ping back on this: there are as said pending versions for the
next point release in proposed-updates. Would you be able to test
those so we can make sure the packages for buster have seen some real
situation testing?

The above regression fix is not yet included, would you be able to
test the followup as well?

Regards,
Salvatore



More information about the Pkg-mailman-hackers mailing list