Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2021-33038

Related Vulnerabilities: CVE-2021-33038  

Source

Debian Bug report logs - #989183
CVE-2021-33038

version graph

Package: src:hyperkitty; Maintainer for src:hyperkitty is Debian Mailman Team <pkg-mailman-hackers@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Thu, 27 May 2021 19:12:02 UTC

Severity: grave

Tags: security, upstream

Found in version hyperkitty/1.3.4-3

Fixed in version hyperkitty/1.3.4-4

Done: Jonas Meurer <jonas@freesources.org>

Forwarded to https://gitlab.com/mailman/hyperkitty/-/issues/380

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Mailman Team <pkg-mailman-hackers@lists.alioth.debian.org>:
Bug#989183; Package src:hyperkitty. (Thu, 27 May 2021 19:12:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Mailman Team <pkg-mailman-hackers@lists.alioth.debian.org>. (Thu, 27 May 2021 19:12:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2021-33038
Date: Thu, 27 May 2021 21:07:57 +0200
Source: hyperkitty
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

This was assigned CVE-2021-33038:
https://gitlab.com/mailman/hyperkitty/-/issues/380

Patch is here:
https://gitlab.com/mailman/hyperkitty/-/commit/9025324597d60b2dff740e49b70b15589d6804fa

Cheers,
	 Moritz

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 27 May 2021 19:42:03 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://gitlab.com/mailman/hyperkitty/-/issues/380'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 27 May 2021 19:42:04 GMT) (full text, mbox, link).

Marked as found in versions hyperkitty/1.3.4-3. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 27 May 2021 19:42:06 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Mailman Team <pkg-mailman-hackers@lists.alioth.debian.org>:
Bug#989183; Package src:hyperkitty. (Fri, 28 May 2021 09:09:03 GMT) (full text, mbox, link).

Acknowledgement sent to Jonas Meurer <jonas@freesources.org>:
Extra info received and forwarded to list. Copy sent to Debian Mailman Team <pkg-mailman-hackers@lists.alioth.debian.org>. (Fri, 28 May 2021 09:09:03 GMT) (full text, mbox, link).

Message #16 received at 989183@bugs.debian.org (full text, mbox, reply):

From: Jonas Meurer <jonas@freesources.org>
To: Moritz Muehlenhoff <jmm@debian.org>, 989183@bugs.debian.org
Subject: Re: Bug#989183: CVE-2021-33038
Date: Fri, 28 May 2021 11:06:31 +0200
[Message part 1 (text/plain, inline)]
Hey Moritz,

Moritz Muehlenhoff wrote:
> This was assigned CVE-2021-33038:
> https://gitlab.com/mailman/hyperkitty/-/issues/380
> 
> Patch is here:
> https://gitlab.com/mailman/hyperkitty/-/commit/9025324597d60b2dff740e49b70b15589d6804fa

Thanks a lot for reporting the security bug!

I'll upload hyperkitty 1.3.4-4 in a few minutes with the patch applied. 
Will open an unblock request for Bullseye as soon as the package hit the 
archive.

Do you want to take care of preparing an upload to buster-security or 
shall I prepare that one as well?

Kind regards
 jonas


[OpenPGP_signature (application/pgp-signature, attachment)]

Reply sent to Jonas Meurer <jonas@freesources.org>:
You have taken responsibility. (Fri, 28 May 2021 09:21:06 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Fri, 28 May 2021 09:21:06 GMT) (full text, mbox, link).

Message #21 received at 989183-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 989183-close@bugs.debian.org
Subject: Bug#989183: fixed in hyperkitty 1.3.4-4
Date: Fri, 28 May 2021 09:18:24 +0000
Source: hyperkitty
Source-Version: 1.3.4-4
Done: Jonas Meurer <jonas@freesources.org>

We believe that the bug you reported is fixed in the latest version of
hyperkitty, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 989183@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Meurer <jonas@freesources.org> (supplier of updated hyperkitty package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 28 May 2021 11:00:26 +0200
Source: hyperkitty
Architecture: source
Version: 1.3.4-4
Distribution: unstable
Urgency: high
Maintainer: Debian Mailman Team <pkg-mailman-hackers@lists.alioth.debian.org>
Changed-By: Jonas Meurer <jonas@freesources.org>
Closes: 989183
Changes:
 hyperkitty (1.3.4-4) unstable; urgency=high
 .
   * d/p/0005_ensure_private_archives_during_import.patch: Ensure private
     archives stay private during import (CVE-2021-33038). (Closes: #989183)
Checksums-Sha1:
 08dc720dd629e5af6e6f9dda01e261f11ec67aef 2843 hyperkitty_1.3.4-4.dsc
 cb6518504a9001d49b0547c4c00956de22eb2823 135016 hyperkitty_1.3.4-4.debian.tar.xz
 da19ae7a5afaec35c9d44caef660eedd77c01db0 9290 hyperkitty_1.3.4-4_amd64.buildinfo
Checksums-Sha256:
 c30645decd62ddcb50550bc8bfc670551a171284444d9cddc7645a525650c72b 2843 hyperkitty_1.3.4-4.dsc
 6ce57acaea48167be51b613bb98fafae5aa13b4a78326fb9ab263c5165753938 135016 hyperkitty_1.3.4-4.debian.tar.xz
 6ffea22544deda676cee526d09370cf5ce5fdb1914916543a10c077e412db6a5 9290 hyperkitty_1.3.4-4_amd64.buildinfo
Files:
 33084db7f0727ca5a121360875133f3b 2843 python optional hyperkitty_1.3.4-4.dsc
 d05dc1497eb26dabc6831f4535c4bb03 135016 python optional hyperkitty_1.3.4-4.debian.tar.xz
 139acd3cb77e7d183f6767f5dc52121d 9290 python optional hyperkitty_1.3.4-4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEELIzSg9Pv30M4kOeDUmLn/0kQSf4FAmCwszkACgkQUmLn/0kQ
Sf4Wgw/+K/ygqvc+RdrhmDY6oKqQe6Jw3XRes1EX1L6HZnWr8QU3U8CtFiOq/5eb
mmrjfFX3g20JRG2wPFi96K7GBIQ6X3jkM4hel5uzlxbKmxq0NFUzfS+VV5nFfkEf
GE5iHDL8BZ7K1SdExQ4rb1sJiU6XRpjEVW7vanAUHtVc2GBYOG9/JDCtmEYQqiHM
3qirdLnfE+hS9q0dgSLJ6jivSUWRDS40D2o2Sr5U0rPHgpY29SuFIONa4i2xWUZq
AAo/jrYbo5Eozx+FhvTZp4qUGKGFlKO0twRtQ2o3ZVOsN9PJ5HAS5z6dvtZ2Niep
Q+/XWktglaSTf9wGdDkqzg2Vl9qqnxp33WPiHac9pHm5rD2dUGmB4i4x+vlZx2Rt
aDkbzFV71ls7BMl3GYSVaqZHH4Mma1B79GaHIOT7SlC9oyosPUCVTFOkhUTbB3jH
s58DSnGwQP9jKSvS/IjfTrQZYJn3fRrWIZ4yM+YH0qLd1Oy+766LzYzDwsLk5+cO
hgKG6SEA5dPrR45yMlKkonmkHG2/trPStOVfGgCgtAfpsmAkMcLKg8cWjQSCsncx
mlKdB9nQxRxg08RI1zagtOgDVW/0ZnvaaH6/YquAC4fxZkMEivB7GdSRMRDXqlom
qEtly3xiWAgFP+5wUemUXsC4YVyTD3Kd3LgtQww7EGZbWtpLVz0=
=Vno1
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Mailman Team <pkg-mailman-hackers@lists.alioth.debian.org>:
Bug#989183; Package src:hyperkitty. (Fri, 28 May 2021 10:00:03 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Mailman Team <pkg-mailman-hackers@lists.alioth.debian.org>. (Fri, 28 May 2021 10:00:03 GMT) (full text, mbox, link).

Message #26 received at 989183@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Jonas Meurer <jonas@freesources.org>
Cc: Moritz Muehlenhoff <jmm@debian.org>, 989183@bugs.debian.org
Subject: Re: Bug#989183: CVE-2021-33038
Date: Fri, 28 May 2021 11:58:24 +0200
On Fri, May 28, 2021 at 11:06:31AM +0200, Jonas Meurer wrote:
> Hey Moritz,
> 
> Moritz Muehlenhoff wrote:
> > This was assigned CVE-2021-33038:
> > https://gitlab.com/mailman/hyperkitty/-/issues/380
> > 
> > Patch is here:
> > https://gitlab.com/mailman/hyperkitty/-/commit/9025324597d60b2dff740e49b70b15589d6804fa
> 
> Thanks a lot for reporting the security bug!
> 
> I'll upload hyperkitty 1.3.4-4 in a few minutes with the patch applied. Will
> open an unblock request for Bullseye as soon as the package hit the archive.
> 
> Do you want to take care of preparing an upload to buster-security or shall
> I prepare that one as well?

Please do! Version number should be 1.2.2-1+deb10u1

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Mailman Team <pkg-mailman-hackers@lists.alioth.debian.org>:
Bug#989183; Package src:hyperkitty. (Fri, 28 May 2021 12:18:02 GMT) (full text, mbox, link).

Acknowledgement sent to Jonas Meurer <jonas@freesources.org>:
Extra info received and forwarded to list. Copy sent to Debian Mailman Team <pkg-mailman-hackers@lists.alioth.debian.org>. (Fri, 28 May 2021 12:18:02 GMT) (full text, mbox, link).

Message #31 received at 989183@bugs.debian.org (full text, mbox, reply):

From: Jonas Meurer <jonas@freesources.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 989183@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@debian.org>
Subject: Re: Bug#989183: CVE-2021-33038
Date: Fri, 28 May 2021 14:14:34 +0200
[Message part 1 (text/plain, inline)]
Hey Moritz,

Moritz Muehlenhoff wrote:
> On Fri, May 28, 2021 at 11:06:31AM +0200, Jonas Meurer wrote:
>> Moritz Muehlenhoff wrote:
>>> This was assigned CVE-2021-33038:
>>> https://gitlab.com/mailman/hyperkitty/-/issues/380
>>>
>>> Patch is here:
>>> https://gitlab.com/mailman/hyperkitty/-/commit/9025324597d60b2dff740e49b70b15589d6804fa
>>
>> Thanks a lot for reporting the security bug!
>>
>> I'll upload hyperkitty 1.3.4-4 in a few minutes with the patch applied. Will
>> open an unblock request for Bullseye as soon as the package hit the archive.
>>
>> Do you want to take care of preparing an upload to buster-security or shall
>> I prepare that one as well?
> 
> Please do! Version number should be 1.2.2-1+deb10u1

Done now. The sources for 1.2.2-1+deb10u1 can be found hier:

https://salsa.debian.org/mailman-team/hyperkitty/-/tree/debian/buster-security

Will you handle the upload or shall I upload to buster-security as well?

Kind regards
 jonas



[OpenPGP_signature (application/pgp-signature, attachment)]

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri May 28 12:44:43 2021; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started