[SECURITY] [DLA 2791-1] mailman security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2791-1] mailman security update
From: "Chris Lamb" <lamby@debian.org>
Date: Sat, 23 Oct 2021 12:53:58 -0400 (EDT)
Message-id: <[🔎] 163500799071.67456.2323652859665786486@copycat>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2791-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
October 23, 2021                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : mailman
Version        : 1:2.1.23-1+deb9u7
CVE IDs        : CVE-2021-42096, CVE-2021-42097

It was discovered that there was a potential remote privilege
escalation vulnerability in the Mailman mailing-list manager.

Some CSRF token values were derived from the admin password, and that
could have been used to conductg a brute-force attack against that
password.

For Debian 9 "Stretch", this problem has been fixed in version
1:2.1.23-1+deb9u7.

We recommend that you upgrade your mailman packages.

For the detailed security status of mailman please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mailman

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmF0PfUACgkQHpU+J9Qx
HljJQQ/9GMRaJRvJqStHpWpggZwgRYv0q5tHBjIKvpswXKATW7+95T60W+0mlGI+
II6Ew93/dJ1lvlXH5QgssnmGNZcPrtUd1H4STfhxQq4wU/F14XE6m6IXT8lxCeMm
G5/yGnC+HLHVMEwVIhbsAl8w10a6eNCpn7wrgpuQ5lmgHcBUIO3scfDrk7CoWg5j
wzO0WiIzwdzGTCuOkZv6yqTmR/MxsUVoUn2XGA57zhToOfV9E3bAaAiV7LzaCb99
RSN1S4LnGVYn0k4rItiys58tx8jETpOC1ERAT1w5d72K6NEhjr8Dwr76ABlgnUe9
0ClHOKof4owf3ub8UQsyOdsWwQ/lo7pLfhD2DIeYktOWPaBjfFZkyvgSoKqOD3bp
P+qE+7gYY89YWlLXJ1v/uujnUa5j0ofuxlS/0HisO5tKnQc+dv2NpJMsPEp4zczV
H/UquX70DSgnbLIkviZqGU+7X++sHWVKbWl5I59ZetI7FgbcbxJPFUaW0lhNzkwx
T9d4E+lR1dQffyc7eaI4AKBi1d96FnR21IuP1OHFrWVSsAkWtcaAV1njfkU1kpZV
E7flXKuhqLi+hxwiuBCJEz7QNUNDY4lav975mrw6YXtPdsOFQ/4rlK1PtvqNogmb
ZMTzwXDAC53B4xycybC411d1UH0FHtRvDCS68aMjc1M/UYii+Ls=
=ZwJh
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2790-1] python-babel security update
Next by Date: [SECURITY] [DLA 2792-1] faad2 security update
Previous by thread: [SECURITY] [DLA 2790-1] python-babel security update
Next by thread: [SECURITY] [DLA 2792-1] faad2 security update
Index(es):
- Date
- Thread