Debian Bug report logs -
#1000367
mailman: CVE-2021-43331 (XSS) and CVE-2021-43332 (moderator can discover admin password)
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>:
Bug#1000367; Package mailman.
(Mon, 22 Nov 2021 08:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Arendsen Hein <thomas@intevation.de>:
New Bug report received and forwarded. Copy sent to Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>.
(Mon, 22 Nov 2021 08:21:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: mailman
Version: 1:2.1.29-1+deb10u2
Severity: important
Hi!
Mailman 2.1.36 an 2.1.37 have been released to fix CVE-2021-43331
(XSS) and CVE-2021-43332 (moderator can discover admin password):
https://mail.python.org/archives/list/mailman-announce@python.org/thread/I2X7PSFXIEPLM3UMKZMGOEO3UFYETGRL/
Can you update the packages for Debian buster (and ideally for
stretch LTS, too)?
Thank you for maintaining the package, this has been very helpful.
Best Regards,
Thomas Arendsen Hein
-- System Information:
Debian Release: 10.11
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-18-amd64 (SMP w/32 CPU cores)
Locale: LANG=en_US.utf-8, LC_CTYPE=en_US.utf-8 (charmap=UTF-8), LANGUAGE=en_US.utf-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages mailman depends on:
pn apache2 | httpd <none>
ii cron [cron-daemon] 3.0pl1-134+deb10u1
ii debconf [debconf-2.0] 1.5.71+deb10u1
ii libc6 2.28-10
ii logrotate 3.14.0-4
ii lsb-base 10.2019051400
ii python 2.7.16-1
ii python-dnspython 1.16.0-1+deb10u1
ii ucf 3.0038+nmu1
Versions of packages mailman recommends:
ii postfix [mail-transport-agent] 3.4.14-0+deb10u1
Versions of packages mailman suggests:
pn listadmin <none>
ii lynx 2.8.9rel.1-3+deb10u1
pn mailman3-full <none>
pn spamassassin <none>
--
Thomas Arendsen Hein <thomas@intevation.de>
OpenPGP key: https://intevation.de/~thomas/thomas_pgp.asc (0xD45DE28FF3A2250C)
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
Added tag(s) upstream, security, and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 22 Nov 2021 12:15:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Nov 22 14:38:34 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon