Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: car...@debian.org,j...@debian.org
Hi stable release managers,
mailman in buster is affected by two new CVEs. After considarion if it
warrants a DSA, we opted for making an update just available via an
upcoming point release. The changes are provided by upstream:
* Potential XSS attack via the user options page (CVE-2021-43331)
* A list moderator can crack the list admin password encrypted in a CSRF
token (CVE-2021-43332)
#1000367 tracks it in the BTS itself.
Regards,
Salvatore
diff -Nru mailman-2.1.29/debian/changelog mailman-2.1.29/debian/changelog
--- mailman-2.1.29/debian/changelog 2021-10-22 14:32:39.000000000 +0200
+++ mailman-2.1.29/debian/changelog 2021-11-20 15:17:30.000000000 +0100
@@ -1,3 +1,13 @@
+mailman (1:2.1.29-1+deb10u3) buster; urgency=medium
+
+ * Non-maintainer upload by the Security Team.
+ * Potential XSS attack via the user options page (CVE-2021-43331)
+ (Closes: #1000367)
+ * A list moderator can crack the list admin password encrypted in a CSRF
+ token (CVE-2021-43332) (Closes: #1000367)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Sat, 20 Nov 2021 15:17:30 +0100
+
mailman (1:2.1.29-1+deb10u2) buster-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru mailman-2.1.29/debian/patches/CVE-2021-43331.patch
mailman-2.1.29/debian/patches/CVE-2021-43331.patch
--- mailman-2.1.29/debian/patches/CVE-2021-43331.patch 1970-01-01
01:00:00.000000000 +0100
+++ mailman-2.1.29/debian/patches/CVE-2021-43331.patch 2021-11-20
15:17:30.000000000 +0100
@@ -0,0 +1,19 @@
+Description: Potential XSS attack via the user options page
+Origin: upstream,
https://bugs.launchpad.net/mailman/+bug/1949401/+attachment/5540165/+files/patch_to_fix_1949401
+Bug: https://bugs.launchpad.net/mailman/+bug/1949401
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-43331
+Forwarded: not-needed
+Last-Update: 2021-11-20
+
+=== modified file 'Mailman/Cgi/options.py'
+--- a/Mailman/Cgi/options.py
++++ b/Mailman/Cgi/options.py
+@@ -342,6 +342,8 @@ def main():
+ varhelp = qs[0]
+ if varhelp:
+ # Sanitize the topic name.
++ while '%' in varhelp:
++ varhelp = urllib.unquote_plus(varhelp)
+ varhelp = re.sub('<.*', '', varhelp)
+ topic_details(mlist, doc, user, cpuser, userlang, varhelp)
+ return
diff -Nru mailman-2.1.29/debian/patches/CVE-2021-43332.patch
mailman-2.1.29/debian/patches/CVE-2021-43332.patch
--- mailman-2.1.29/debian/patches/CVE-2021-43332.patch 1970-01-01
01:00:00.000000000 +0100
+++ mailman-2.1.29/debian/patches/CVE-2021-43332.patch 2021-11-20
15:17:30.000000000 +0100
@@ -0,0 +1,32 @@
+Description: A list moderator can crack the list admin password encrypted in a
CSRF token
+Origin: upstream,
https://bugs.launchpad.net/mailman/+bug/1949403/+attachment/5540558/+files/patch_to_fix_1949403
+Bug: https://bugs.launchpad.net/mailman/+bug/1949403
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-43332
+Forwarded: not-needed
+Last-Update: 2021-11-20
+
+=== modified file 'Mailman/CSRFcheck.py'
+--- a/Mailman/CSRFcheck.py
++++ b/Mailman/CSRFcheck.py
+@@ -45,7 +45,7 @@ def csrf_token(mlist, contexts, user=Non
+
+ for context in contexts:
+ key, secret = mlist.AuthContextInfo(context, user)
+- if key:
++ if key and secret:
+ break
+ else:
+ return None # not authenticated
+--- a/Mailman/Cgi/admindb.py
++++ b/Mailman/Cgi/admindb.py
+@@ -59,8 +59,8 @@ if mm_cfg.DISPLAY_HELD_SUMMARY_SORT_BUTT
+ else:
+ ssort = SSENDER
+
+-AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin,
+- mm_cfg.AuthListModerator)
++AUTH_CONTEXTS = (mm_cfg.AuthListModerator, mm_cfg.AuthListAdmin,
++ mm_cfg.AuthSiteAdmin)
+
+
+ �
diff -Nru mailman-2.1.29/debian/patches/series
mailman-2.1.29/debian/patches/series
--- mailman-2.1.29/debian/patches/series 2021-10-22 14:32:39.000000000
+0200
+++ mailman-2.1.29/debian/patches/series 2021-11-20 15:17:30.000000000
+0100
@@ -13,3 +13,5 @@
1844-CVE-2020-12108.patch
1848-CVE-2020-15011.patch
1873-CVE-2021-42096_CVE-2021-42097.patch
+CVE-2021-43331.patch
+CVE-2021-43332.patch
