Bug#1000386: marked as done (buster-pu: package mailman/1:2.1.29-1+deb10u3)

Debian Bug Tracking System Sat, 26 Mar 2022 05:14:09 -0700

Your message dated Sat, 26 Mar 2022 12:02:22 +0000
with message-id 
<540de30a27d37c3ff416b94b1adf7ff2a2cab257.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates in 10.12
has caused the Debian Bug report #1000386,
regarding buster-pu: package mailman/1:2.1.29-1+deb10u3
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1000386: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000386
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: car...@debian.org,j...@debian.org

Hi stable release managers,

mailman in buster is affected by two new CVEs. After considarion if it
warrants a DSA, we opted for making an update just available via an
upcoming point release. The changes are provided by upstream:

  * Potential XSS attack via the user options page (CVE-2021-43331)

  * A list moderator can crack the list admin password encrypted in a CSRF
    token (CVE-2021-43332)

#1000367 tracks it in the BTS itself.

Regards,
Salvatore

diff -Nru mailman-2.1.29/debian/changelog mailman-2.1.29/debian/changelog
--- mailman-2.1.29/debian/changelog     2021-10-22 14:32:39.000000000 +0200
+++ mailman-2.1.29/debian/changelog     2021-11-20 15:17:30.000000000 +0100
@@ -1,3 +1,13 @@
+mailman (1:2.1.29-1+deb10u3) buster; urgency=medium
+
+  * Non-maintainer upload by the Security Team.
+  * Potential XSS attack via the user options page (CVE-2021-43331)
+    (Closes: #1000367)
+  * A list moderator can crack the list admin password encrypted in a CSRF
+    token (CVE-2021-43332) (Closes: #1000367)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Sat, 20 Nov 2021 15:17:30 +0100
+
 mailman (1:2.1.29-1+deb10u2) buster-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru mailman-2.1.29/debian/patches/CVE-2021-43331.patch 
mailman-2.1.29/debian/patches/CVE-2021-43331.patch
--- mailman-2.1.29/debian/patches/CVE-2021-43331.patch  1970-01-01 
01:00:00.000000000 +0100
+++ mailman-2.1.29/debian/patches/CVE-2021-43331.patch  2021-11-20 
15:17:30.000000000 +0100
@@ -0,0 +1,19 @@
+Description: Potential XSS attack via the user options page
+Origin: upstream, 
https://bugs.launchpad.net/mailman/+bug/1949401/+attachment/5540165/+files/patch_to_fix_1949401
+Bug: https://bugs.launchpad.net/mailman/+bug/1949401
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-43331
+Forwarded: not-needed
+Last-Update: 2021-11-20
+
+=== modified file 'Mailman/Cgi/options.py'
+--- a/Mailman/Cgi/options.py
++++ b/Mailman/Cgi/options.py
+@@ -342,6 +342,8 @@ def main():
+             varhelp = qs[0]
+     if varhelp:
+         # Sanitize the topic name.
++        while '%' in varhelp:
++            varhelp = urllib.unquote_plus(varhelp)
+         varhelp = re.sub('<.*', '', varhelp)
+         topic_details(mlist, doc, user, cpuser, userlang, varhelp)
+         return
diff -Nru mailman-2.1.29/debian/patches/CVE-2021-43332.patch 
mailman-2.1.29/debian/patches/CVE-2021-43332.patch
--- mailman-2.1.29/debian/patches/CVE-2021-43332.patch  1970-01-01 
01:00:00.000000000 +0100
+++ mailman-2.1.29/debian/patches/CVE-2021-43332.patch  2021-11-20 
15:17:30.000000000 +0100
@@ -0,0 +1,32 @@
+Description: A list moderator can crack the list admin password encrypted in a 
CSRF token
+Origin: upstream, 
https://bugs.launchpad.net/mailman/+bug/1949403/+attachment/5540558/+files/patch_to_fix_1949403
+Bug: https://bugs.launchpad.net/mailman/+bug/1949403
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-43332
+Forwarded: not-needed
+Last-Update: 2021-11-20
+
+=== modified file 'Mailman/CSRFcheck.py'
+--- a/Mailman/CSRFcheck.py
++++ b/Mailman/CSRFcheck.py
+@@ -45,7 +45,7 @@ def csrf_token(mlist, contexts, user=Non
+         
+     for context in contexts:
+         key, secret = mlist.AuthContextInfo(context, user)
+-        if key:
++        if key and secret:
+             break
+     else:
+         return None     # not authenticated
+--- a/Mailman/Cgi/admindb.py
++++ b/Mailman/Cgi/admindb.py
+@@ -59,8 +59,8 @@ if mm_cfg.DISPLAY_HELD_SUMMARY_SORT_BUTT
+ else:
+     ssort = SSENDER
+ 
+-AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin,
+-                 mm_cfg.AuthListModerator)
++AUTH_CONTEXTS = (mm_cfg.AuthListModerator, mm_cfg.AuthListAdmin,
++                 mm_cfg.AuthSiteAdmin)
+ 
+ 
+ 
diff -Nru mailman-2.1.29/debian/patches/series 
mailman-2.1.29/debian/patches/series
--- mailman-2.1.29/debian/patches/series        2021-10-22 14:32:39.000000000 
+0200
+++ mailman-2.1.29/debian/patches/series        2021-11-20 15:17:30.000000000 
+0100
@@ -13,3 +13,5 @@
 1844-CVE-2020-12108.patch
 1848-CVE-2020-15011.patch
 1873-CVE-2021-42096_CVE-2021-42097.patch
+CVE-2021-43331.patch
+CVE-2021-43332.patch

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 10.12

Hi,

The updates referenced in these requests were included in oldstable as
part of today's 10.12 point release.

Regards,

Adam

--- End Message ---

Bug#1000386: marked as done (buster-pu: package mailman/1:2.1.29-1+deb10u3)

Reply via email to