Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1001685: mailman: CVE-2021-44227 and updated fix for CVE-2021-42097
1 view
Skip to first unread message
Thomas Arendsen Hein
Dec 14, 2021, 5:30:03 AM12/14/21
to
Package: mailman
Version: 1:2.1.29-1+deb10u2
Severity: important
Hi!
Mailman 2.1.38 has been released to fix CVE-2021-44227 (a list
member or moderator can get a CSRF token and craft an admin request),
and 2.1.39 has been released to fix a regression in above fix and
to update the fix for CVE-2021-42097.
https://mail.python.org/archives/list/mailman-...@python.org/thread/D54X2LXETPMVP5KZNM2WP6Z6UOPJXSVD/
Can you update the packages for Debian buster (and ideally for
stretch LTS, too)?
In bug report #1000367 an updated package 1:2.1.29-1+deb10u3 has
been created, but it is not yet available via buster-security.
That's why I have marked this ticket with "1:2.1.29-1+deb10u2"
above.
Thank you,
Thomas Arendsen Hein
--
Thomas Arendsen Hein <tho...@intevation.de>
OpenPGP key: https://intevation.de/~thomas/thomas_pgp.asc (0xD45DE28FF3A2250C)
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
Version: 1:2.1.29-1+deb10u2
Severity: important
Hi!
Mailman 2.1.38 has been released to fix CVE-2021-44227 (a list
member or moderator can get a CSRF token and craft an admin request),
and 2.1.39 has been released to fix a regression in above fix and
to update the fix for CVE-2021-42097.
https://mail.python.org/archives/list/mailman-...@python.org/thread/D54X2LXETPMVP5KZNM2WP6Z6UOPJXSVD/
Can you update the packages for Debian buster (and ideally for
stretch LTS, too)?
In bug report #1000367 an updated package 1:2.1.29-1+deb10u3 has
been created, but it is not yet available via buster-security.
That's why I have marked this ticket with "1:2.1.29-1+deb10u2"
above.
Thank you,
Thomas Arendsen Hein
--
Thomas Arendsen Hein <tho...@intevation.de>
OpenPGP key: https://intevation.de/~thomas/thomas_pgp.asc (0xD45DE28FF3A2250C)
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
Salvatore Bonaccorso
Dec 14, 2021, 3:20:04 PM12/14/21
to
Control: tags -1 + upstream security
Hi Thomas,
On Tue, Dec 14, 2021 at 11:23:53AM +0100, Thomas Arendsen Hein wrote:
> Package: mailman
> Version: 1:2.1.29-1+deb10u2
> Severity: important
>
> Hi!
>
> Mailman 2.1.38 has been released to fix CVE-2021-44227 (a list
> member or moderator can get a CSRF token and craft an admin request),
> and 2.1.39 has been released to fix a regression in above fix and
> to update the fix for CVE-2021-42097.
>
> https://mail.python.org/archives/list/mailman-...@python.org/thread/D54X2LXETPMVP5KZNM2WP6Z6UOPJXSVD/
> Can you update the packages for Debian buster (and ideally for
> stretch LTS, too)?
See: https://bugs.debian.org/1001556 so it's pending for the next
buster point release.
> In bug report #1000367 an updated package 1:2.1.29-1+deb10u3 has
> been created, but it is not yet available via buster-security.
> That's why I have marked this ticket with "1:2.1.29-1+deb10u2"
> above.
Samewise: https://bugs.debian.org/1000386
So in summary, all the CVE fixes are already pending for the next
point release for buster.
Hope this helps,
Regards,
Salvatore
Hi Thomas,
On Tue, Dec 14, 2021 at 11:23:53AM +0100, Thomas Arendsen Hein wrote:
> Package: mailman
> Version: 1:2.1.29-1+deb10u2
> Severity: important
>
> Hi!
>
> Mailman 2.1.38 has been released to fix CVE-2021-44227 (a list
> member or moderator can get a CSRF token and craft an admin request),
> and 2.1.39 has been released to fix a regression in above fix and
> to update the fix for CVE-2021-42097.
>
> https://mail.python.org/archives/list/mailman-...@python.org/thread/D54X2LXETPMVP5KZNM2WP6Z6UOPJXSVD/
> Can you update the packages for Debian buster (and ideally for
> stretch LTS, too)?
buster point release.
> In bug report #1000367 an updated package 1:2.1.29-1+deb10u3 has
> been created, but it is not yet available via buster-security.
> That's why I have marked this ticket with "1:2.1.29-1+deb10u2"
> above.
So in summary, all the CVE fixes are already pending for the next
point release for buster.
Hope this helps,
Regards,
Salvatore
Salvatore Bonaccorso
Dec 14, 2021, 3:50:03 PM12/14/21
to
Hi Thomas,
Btw, that said, I would appreciate if the proposed packages get some
additional testing exposure.
I will try to provide in the next days as well a followup to the
additional regression fix and improvement bugfix mentioned from the
2.1.39 release.
Regards,
Salvatore
additional testing exposure.
I will try to provide in the next days as well a followup to the
additional regression fix and improvement bugfix mentioned from the
2.1.39 release.
Regards,
Salvatore
Salvatore Bonaccorso
Jan 6, 2022, 1:00:03 AM1/6/22
to
Control: forwarded -1 https://bugs.launchpad.net/mailman/+bug/1954694
Hi Thomas,
Friendly ping back on this: there are as said pending versions for the
next point release in proposed-updates. Would you be able to test
those so we can make sure the packages for buster have seen some real
situation testing?
The above regression fix is not yet included, would you be able to
test the followup as well?
Regards,
Salvatore
Hi Thomas,
next point release in proposed-updates. Would you be able to test
those so we can make sure the packages for buster have seen some real
situation testing?
The above regression fix is not yet included, would you be able to
test the followup as well?
Regards,
Salvatore
Thomas Arendsen Hein
Jan 10, 2022, 10:40:03 AM1/10/22
to
Hi Salvatore,
* Salvatore Bonaccorso <car...@debian.org> [20220106 06:51]:
available. Due to a 3rd-party dependency we're still running stretch.
I've just checked, there is no updated mailman package in
stretch-proposed-updates, which I would happily test for you.
Regards,
Thomas
* Salvatore Bonaccorso <car...@debian.org> [20220106 06:51]:
> Friendly ping back on this: there are as said pending versions for the
> next point release in proposed-updates. Would you be able to test
> those so we can make sure the packages for buster have seen some real
> situation testing?
Sorry, unfortunately I don't have a buster system with mailman2
> next point release in proposed-updates. Would you be able to test
> those so we can make sure the packages for buster have seen some real
> situation testing?
available. Due to a 3rd-party dependency we're still running stretch.
I've just checked, there is no updated mailman package in
stretch-proposed-updates, which I would happily test for you.
Regards,
Thomas
0 new messages