Debian Bug report logs -
#835970
mailman: CVE-2016-6893: CSRF protection needs to be extended to the user options page
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>:
Bug#835970; Package src:mailman.
(Mon, 29 Aug 2016 15:54:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>.
(Mon, 29 Aug 2016 15:54:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mailman
Version: 1:2.1.15-1
Severity: important
Tags: security upstream patch
Forwarded: https://bugs.launchpad.net/mailman/+bug/1614841
Hi,
the following vulnerability was published for mailman.
CVE-2016-6893[0]:
CSRF protection needs to be extended to the user options page
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-6893
[1] https://bugs.launchpad.net/mailman/+bug/1614841
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Thu, 01 Sep 2016 17:54:21 GMT) (full text, mbox, link).
Marked as fixed in versions mailman/1:2.1.15-1+deb7u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 02 Sep 2016 20:48:05 GMT) (full text, mbox, link).
Reply sent
to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(Tue, 13 Sep 2016 17:48:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 13 Sep 2016 17:48:09 GMT) (full text, mbox, link).
Message #14 received at 835970-close@bugs.debian.org (full text, mbox, reply):
Source: mailman
Source-Version: 1:2.1.23-1
We believe that the bug you reported is fixed in the latest version of
mailman, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 835970@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated mailman package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 13 Sep 2016 16:01:59 +0000
Source: mailman
Binary: mailman
Architecture: source amd64
Version: 1:2.1.23-1
Distribution: unstable
Urgency: medium
Maintainer: Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
mailman - Powerful, web-based mailing list manager
Closes: 835970
Changes:
mailman (1:2.1.23-1) unstable; urgency=medium
.
* New upstream release.
- Fixes CSRF in user options (CVE-2016-6893, closes: #835970).
Checksums-Sha1:
29be3144e8e80d58e88f66b1403616f623b7d467 1765 mailman_2.1.23-1.dsc
bee329ca989fc4e217fc5cdb814a1a4ecde79615 9290881 mailman_2.1.23.orig.tar.gz
a0c731ec90eba1180ad5f94a290eb98d2198f071 102404 mailman_2.1.23-1.debian.tar.xz
ecf7e4b696506c9f016cb3e84a81d72652a5bf59 18284 mailman-dbgsym_2.1.23-1_amd64.deb
cff6887e321d937f4da038d518a1829f70a589b5 4391984 mailman_2.1.23-1_amd64.deb
Checksums-Sha256:
3674680323c1dc55b4035f77a0e45278774d8b5fcd4348c8a48ba5237cab5826 1765 mailman_2.1.23-1.dsc
b022ca6f8534621c9dbe50c983948688bc4623214773b580c2c78e4a7ae43e69 9290881 mailman_2.1.23.orig.tar.gz
2aa211cb4e29ef5be5d87ecbd250435c2d569feb8ca4da2db9065a621007b8d7 102404 mailman_2.1.23-1.debian.tar.xz
b4d1c829981f9b27dcb37c136f90628a1338bf00fded3b8f1a92e3cd287a52aa 18284 mailman-dbgsym_2.1.23-1_amd64.deb
d2ac02de9195477ccd236c177542ece0c434229724e10dacf939e6d6046996f4 4391984 mailman_2.1.23-1_amd64.deb
Files:
0ff1721df9e49a089564a0d1beb69d89 1765 mail optional mailman_2.1.23-1.dsc
ceb2d8427e29f4e69b2505423ffeb60b 9290881 mail optional mailman_2.1.23.orig.tar.gz
437282c8fa61b26892a6e3b09e27f99b 102404 mail optional mailman_2.1.23-1.debian.tar.xz
48c006bedc2d932491b648941fc98efb 18284 debug extra mailman-dbgsym_2.1.23-1_amd64.deb
c88baa314ccab1c8e050f61aa42950aa 4391984 mail optional mailman_2.1.23-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJX2C5AAAoJEFb2GnlAHawE0QEH/Akvls1BLtxTGGBQ4ml6Op9j
qWbIQ5l1lWrPN5DjH5YSRKKFUY23dB81f/k6RGbUwDtj5C3ISTfVQ60PUxP2Wxo+
bVH+xYFwe8PNzYvmxqb/EAMrp/OtBHgd433pe6Rq+m22fb4ua9sc2tlRR0fW+HmO
zaFbSLweH9BYbg+NV3t47PS1toOy5/kMhBHcuhGBo1KzwFWYxDiuoY3gsmiLd5od
79/1oQ5pmlx7cAQtcqG45M4WSE27tqBzsG4yVzcVk5EQgzPrGy1O8MZKSfIu/0wZ
S3AveHZjsIWDjltR8IVQ/WcKgYufXtj9KTcBBm4iQRUzVRFz8QdAS18RYeDCao4=
=BlkY
-----END PGP SIGNATURE-----
Reply sent
to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(Sat, 17 Sep 2016 17:21:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 17 Sep 2016 17:21:09 GMT) (full text, mbox, link).
Message #19 received at 835970-close@bugs.debian.org (full text, mbox, reply):
Source: mailman
Source-Version: 1:2.1.18-2+deb8u1
We believe that the bug you reported is fixed in the latest version of
mailman, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 835970@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated mailman package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 15 Sep 2016 07:47:56 +0200
Source: mailman
Binary: mailman
Architecture: source amd64
Version: 1:2.1.18-2+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
mailman - Powerful, web-based mailing list manager
Closes: 835970
Changes:
mailman (1:2.1.18-2+deb8u1) jessie-security; urgency=high
.
* CVE-2016-6893: Fix CSRF vulnerability associated in the user options page
which could allow an attacker to obtain a user's password. (Closes: #835970)
Checksums-Sha1:
20ca9f3b48b52841f98bd6b5660a25da4d3678cb 1725 mailman_2.1.18-2+deb8u1.dsc
3ea3aff36984a7ccc92bc784b7e76cb8156fa4fc 9095038 mailman_2.1.18.orig.tar.gz
e4059578d67b62e762605e59f59c32751cb44199 104920 mailman_2.1.18-2+deb8u1.debian.tar.xz
f3461bbdea619e88b676306b36430820fdfeb6f6 4292892 mailman_2.1.18-2+deb8u1_amd64.deb
Checksums-Sha256:
b9ae5081efcc832b1d1d7ee9ba3198ee87a5c44e93999a22f6fc0c244d7c5fdf 1725 mailman_2.1.18-2+deb8u1.dsc
dc1d605321448e7e5e804e26493f7689a0b17f0810505dc3f9774f9519308349 9095038 mailman_2.1.18.orig.tar.gz
7f4febfb526feb163e218a182bb75b9a878f31911a5136131685b6f27e59b783 104920 mailman_2.1.18-2+deb8u1.debian.tar.xz
2ebe37d9730921333f8a58fb0734f98700a3c3ec624a0d6e9fbba800864b6113 4292892 mailman_2.1.18-2+deb8u1_amd64.deb
Files:
3c0e73ca4f4f3c3611ad53f62caa2d19 1725 mail optional mailman_2.1.18-2+deb8u1.dsc
02ce493711248e1d3723356188446d9f 9095038 mail optional mailman_2.1.18.orig.tar.gz
0b1b1e7f01988ce8925e7ea08c360c76 104920 mail optional mailman_2.1.18-2+deb8u1.debian.tar.xz
686b300f9325149533acb0adb606d100 4292892 mail optional mailman_2.1.18-2+deb8u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJX2jtgAAoJEFb2GnlAHawE6YgH/2U9P19aMk++s3tYZUTeEgv5
kVYwYGRaaG3Sbi1UaCTg0LWifDKjZNaLWudedXOoLTOzz3QYvaIIl7KwT1HUsZi9
f0Hu+rJ6FEL+ig0OJTVMlCD0XQ+cK8X7deKys9QuIWq8qffnNERduN+4LgL0PuaG
nojsS8Wpv47+m2Sqyu3ySxH6wjhfoUGulBXk01Vml4dIQACLyA9rIj9blI89nhNe
N4Bpoe6PxrTXhf+XBWyZpmSD65d23wbp8sDDnyiwmC/h8zE+w+1J/dCJC9pOv3xU
BW6Uvh8HNsPftcM/eirUrgaZs+O182Rmpep6THicrnAB6lZqCFBDV7yQrBq6vfI=
=4pXf
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 17 Oct 2016 07:28:00 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:36:53 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon