Hi Thomas, On Tue, Dec 14, 2021 at 09:13:02PM +0100, Salvatore Bonaccorso wrote: > Control: tags -1 + upstream security > > Hi Thomas, > > On Tue, Dec 14, 2021 at 11:23:53AM +0100, Thomas Arendsen Hein wrote: > > Package: mailman > > Version: 1:2.1.29-1+deb10u2 > > Severity: important > > > > Hi! > > > > Mailman 2.1.38 has been released to fix CVE-2021-44227 (a list > > member or moderator can get a CSRF token and craft an admin request), > > and 2.1.39 has been released to fix a regression in above fix and > > to update the fix for CVE-2021-42097. > > > > https://mail.python.org/archives/list/mailman-annou...@python.org/thread/D54X2LXETPMVP5KZNM2WP6Z6UOPJXSVD/ > > Can you update the packages for Debian buster (and ideally for > > stretch LTS, too)? > > See: https://bugs.debian.org/1001556 so it's pending for the next > buster point release. > > > In bug report #1000367 an updated package 1:2.1.29-1+deb10u3 has > > been created, but it is not yet available via buster-security. > > That's why I have marked this ticket with "1:2.1.29-1+deb10u2" > > above. > > Samewise: https://bugs.debian.org/1000386 > > So in summary, all the CVE fixes are already pending for the next > point release for buster.
Btw, that said, I would appreciate if the proposed packages get some additional testing exposure. I will try to provide in the next days as well a followup to the additional regression fix and improvement bugfix mentioned from the 2.1.39 release. Regards, Salvatore
