Debian Security Advisory
DLA-2791-1 mailman -- LTS security update
- Date Reported:
- 26 Oct 2021
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2021-42096, CVE-2021-42097.
- More information:
It was discovered that there was a potential remote privilege escalation vulnerability in the Mailman mailing-list manager. Some CSRF token values were derived from the admin password, and that could have been used to conductg a brute-force attack against that password.
GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived from the admin password, and may be useful in conducting a brute-force attack against that password.
For Debian 9
Stretch, these problems have been fixed in version 1:2.1.23-1+deb9u7.
We recommend that you upgrade your mailman packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
- CVE-2021-42096 & CVE-2021-42097