Your message dated Tue, 30 Nov 2021 20:47:20 +0000
with message-id <[email protected]>
and subject line Bug#1000367: fixed in mailman 1:2.1.29-1+deb10u3
has caused the Debian Bug report #1000367,
regarding mailman: CVE-2021-43331 (XSS) and CVE-2021-43332 (moderator can
discover admin password)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1000367: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000367
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: mailman
Version: 1:2.1.29-1+deb10u2
Severity: important
Hi!
Mailman 2.1.36 an 2.1.37 have been released to fix CVE-2021-43331
(XSS) and CVE-2021-43332 (moderator can discover admin password):
https://mail.python.org/archives/list/[email protected]/thread/I2X7PSFXIEPLM3UMKZMGOEO3UFYETGRL/
Can you update the packages for Debian buster (and ideally for
stretch LTS, too)?
Thank you for maintaining the package, this has been very helpful.
Best Regards,
Thomas Arendsen Hein
-- System Information:
Debian Release: 10.11
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-18-amd64 (SMP w/32 CPU cores)
Locale: LANG=en_US.utf-8, LC_CTYPE=en_US.utf-8 (charmap=UTF-8),
LANGUAGE=en_US.utf-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages mailman depends on:
pn apache2 | httpd <none>
ii cron [cron-daemon] 3.0pl1-134+deb10u1
ii debconf [debconf-2.0] 1.5.71+deb10u1
ii libc6 2.28-10
ii logrotate 3.14.0-4
ii lsb-base 10.2019051400
ii python 2.7.16-1
ii python-dnspython 1.16.0-1+deb10u1
ii ucf 3.0038+nmu1
Versions of packages mailman recommends:
ii postfix [mail-transport-agent] 3.4.14-0+deb10u1
Versions of packages mailman suggests:
pn listadmin <none>
ii lynx 2.8.9rel.1-3+deb10u1
pn mailman3-full <none>
pn spamassassin <none>
--
Thomas Arendsen Hein <[email protected]>
OpenPGP key: https://intevation.de/~thomas/thomas_pgp.asc (0xD45DE28FF3A2250C)
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
--- End Message ---
--- Begin Message ---
Source: mailman
Source-Version: 1:2.1.29-1+deb10u3
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
mailman, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated mailman package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 20 Nov 2021 15:17:30 +0100
Source: mailman
Architecture: source
Version: 1:2.1.29-1+deb10u3
Distribution: buster
Urgency: medium
Maintainer: Mailman for Debian <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1000367
Changes:
mailman (1:2.1.29-1+deb10u3) buster; urgency=medium
.
* Non-maintainer upload by the Security Team.
* Potential XSS attack via the user options page (CVE-2021-43331)
(Closes: #1000367)
* A list moderator can crack the list admin password encrypted in a CSRF
token (CVE-2021-43332) (Closes: #1000367)
Checksums-Sha1:
7f5840ea075baffd8146ddcd58ca7def3d44c9b4 2238 mailman_2.1.29-1+deb10u3.dsc
894ef361cfbfaa2aa197842cfdee70cec0e7db41 102272
mailman_2.1.29-1+deb10u3.debian.tar.xz
Checksums-Sha256:
2ad868bbb08a1fffa4268a6d47a632681469c1e9fcd08dd4fdbd2abcdab56a24 2238
mailman_2.1.29-1+deb10u3.dsc
12a81077a71da232b922b5a30337933f493f0e5cb8c58d38e72c0920aa56e5e0 102272
mailman_2.1.29-1+deb10u3.debian.tar.xz
Files:
c330708c4ed894fcf0e2caacf3b64598 2238 mail optional
mailman_2.1.29-1+deb10u3.dsc
ee0969c52a29cbab6e28e31d09f0588d 102272 mail optional
mailman_2.1.29-1+deb10u3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmGbh3JfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EtcEP/j1bAD3Z0l80kLe5EPoB4YriwEjoQrzw
VxlQBLDZi/w3kCk8ZCPwt+9EQYv3ypR6Wm5EeFalK++aMstat56yx8VmxIuDTbF/
6cw+Tfi8W8Ba7bKOpxnNuT4Omkqi/GOikdDTEM1t3XEquBg7xblwpjFfO8x6DDo8
Z7tyGlAM2M+TH768kuaQBNBGgnvDvVLIcXfv5VghqB9+iR+RSg9sLs4BCqj96fnf
FTnGkwLKVjB3+ZfD8GE3gJAnl461Xui5z4JKNhrJxlrcsw7d25FOi1ZKRO+IsNZV
u7Qn/G07V5opcbbGPhEr1WASNPylwYcX+VlZVDCpAb8cXJGSOh7YhQX9pmf7hwc0
le4kieOYhxhCfKq7udWNMduRCkisPG2rEIgZ4MhD5ZXoPN/r3A7GSdsQqcI4SP60
wwOEwQZpDQsIaS1IvDmOaocMXXqSBo5huVLpZlPcbJRHrkBVHuuBaW0ohg/0h6p5
mR5Zi3QDMc1VJ1cfWfmkaJgcMmpvbLJJjGej7Cv3y98uY4XSopsGtzDjIzOKrqds
nzVzXcAxByPuKr3eO4al3TfbG4KumYDirXL3znIHyVautZZoU10JAW3BEomPZuIp
V4x2swjt6MtePlUCp9yZdJWrxHWk0uEUrp04b4sJ3hPRkb671L3ZmRfWu5lER4ly
YCEbYRp9oi2F
=sfBC
-----END PGP SIGNATURE-----
--- End Message ---
