Publishing details
Changelog
mailman (1:2.1.29-1ubuntu3.1) focal-security; urgency=medium
* SECURITY UPDATE: Potential Privilege escalation via the user
options page. (LP: #1947639)
- debian/patches/CVE-2021-42096-CVE-2021-42097.patch: Always make
the CSRF token for the user
- CVE-2021-42096
* SECURITY UPDATE: Potential CSRF attack via the user options page
(LP: #1947640)
- debian/patches/CVE-2021-42096-CVE-2021-42097.patch: ensure token
is for the user whose option page is being requested
- CVE-2021-42097
* SECURITY UPDATE: Arbitrary Content Injection
- debian/patches/CVE-2020-12108.diff: removed
safeusers variable that allows arbitrary content
to be injected in Mailman/Cgi/options.py.
- debian/patches/CVE-2020-15011.diff: checks if
roster private, if so log the info in Mailman/Cgi/private.py.
- CVE-2020-12108
- CVE-2020-15011
* SECURITY UPDATE: XSS vulnerability
- debian/patches/CVE-2020-12137.diff: use .bin extension
for scrubbed application/octet-stream files in
Mailman/Handlers/Scrubber.py.
- CVE-2020-12137
-- Paulo Flabiano Smorigo <email address hidden> Tue, 26 Oct 2021 17:47:22 +0000
Builds
Built packages
-
mailman
Web-based mailing list manager (legacy branch)
-
mailman-dbgsym
debug symbols for mailman
Package files