Bug#1001685: mailman: CVE-2021-44227 and updated fix for CVE-2021-42097

Thomas Arendsen Hein Tue, 14 Dec 2021 02:27:16 -0800

Package: mailman
Version: 1:2.1.29-1+deb10u2
Severity: important

Hi!


Mailman 2.1.38 has been released to fix CVE-2021-44227 (a list
member or moderator can get a CSRF token and craft an admin request),
and 2.1.39 has been released to fix a regression in above fix and
to update the fix for CVE-2021-42097.

https://mail.python.org/archives/list/mailman-annou...@python.org/thread/D54X2LXETPMVP5KZNM2WP6Z6UOPJXSVD/
Can you update the packages for Debian buster (and ideally for
stretch LTS, too)?

In bug report #1000367 an updated package 1:2.1.29-1+deb10u3 has
been created, but it is not yet available via buster-security.
That's why I have marked this ticket with "1:2.1.29-1+deb10u2"
above.

Thank you,

Thomas Arendsen Hein

-- 
Thomas Arendsen Hein <tho...@intevation.de>
OpenPGP key: https://intevation.de/~thomas/thomas_pgp.asc (0xD45DE28FF3A2250C)
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

Bug#1001685: mailman: CVE-2021-44227 and updated fix for CVE-2021-42097

Reply via email to