[ubuntu/focal-updates] mailman 1:2.1.29-1ubuntu3.1 (Accepted)
Ubuntu Archive Robot
ubuntu-archive-robot at lists.canonical.com
Mon Nov 1 11:58:09 UTC 2021
mailman (1:2.1.29-1ubuntu3.1) focal-security; urgency=medium
* SECURITY UPDATE: Potential Privilege escalation via the user
options page. (LP: #1947639)
- debian/patches/CVE-2021-42096-CVE-2021-42097.patch: Always make
the CSRF token for the user
- CVE-2021-42096
* SECURITY UPDATE: Potential CSRF attack via the user options page
(LP: #1947640)
- debian/patches/CVE-2021-42096-CVE-2021-42097.patch: ensure token
is for the user whose option page is being requested
- CVE-2021-42097
* SECURITY UPDATE: Arbitrary Content Injection
- debian/patches/CVE-2020-12108.diff: removed
safeusers variable that allows arbitrary content
to be injected in Mailman/Cgi/options.py.
- debian/patches/CVE-2020-15011.diff: checks if
roster private, if so log the info in Mailman/Cgi/private.py.
- CVE-2020-12108
- CVE-2020-15011
* SECURITY UPDATE: XSS vulnerability
- debian/patches/CVE-2020-12137.diff: use .bin extension
for scrubbed application/octet-stream files in
Mailman/Handlers/Scrubber.py.
- CVE-2020-12137
Date: 2021-10-28 23:05:10.440700+00:00
Changed-By: Paulo Flabiano Smorigo <pfsmorigo at canonical.com>
Signed-By: Ubuntu Archive Robot <ubuntu-archive-robot at lists.canonical.com>
https://launchpad.net/ubuntu/+source/mailman/1:2.1.29-1ubuntu3.1
-------------- next part --------------
Sorry, changesfile not available.
More information about the Focal-changes
mailing list