Bug#1000386: buster-pu: package mailman/1:2.1.29-1+deb10u3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1000386: buster-pu: package mailman/1:2.1.29-1+deb10u3
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 22 Nov 2021 13:10:36 +0100
Message-id: <[🔎] 163758303601.269832.9712821555634040231.reportbug@elende.valinor.li>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1000386@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: carnil@debian.org,jmm@debian.org

Hi stable release managers,

mailman in buster is affected by two new CVEs. After considarion if it
warrants a DSA, we opted for making an update just available via an
upcoming point release. The changes are provided by upstream:

  * Potential XSS attack via the user options page (CVE-2021-43331)

  * A list moderator can crack the list admin password encrypted in a CSRF
    token (CVE-2021-43332)

#1000367 tracks it in the BTS itself.

Regards,
Salvatore

diff -Nru mailman-2.1.29/debian/changelog mailman-2.1.29/debian/changelog
--- mailman-2.1.29/debian/changelog	2021-10-22 14:32:39.000000000 +0200
+++ mailman-2.1.29/debian/changelog	2021-11-20 15:17:30.000000000 +0100
@@ -1,3 +1,13 @@
+mailman (1:2.1.29-1+deb10u3) buster; urgency=medium
+
+  * Non-maintainer upload by the Security Team.
+  * Potential XSS attack via the user options page (CVE-2021-43331)
+    (Closes: #1000367)
+  * A list moderator can crack the list admin password encrypted in a CSRF
+    token (CVE-2021-43332) (Closes: #1000367)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 20 Nov 2021 15:17:30 +0100
+
 mailman (1:2.1.29-1+deb10u2) buster-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru mailman-2.1.29/debian/patches/CVE-2021-43331.patch mailman-2.1.29/debian/patches/CVE-2021-43331.patch
--- mailman-2.1.29/debian/patches/CVE-2021-43331.patch	1970-01-01 01:00:00.000000000 +0100
+++ mailman-2.1.29/debian/patches/CVE-2021-43331.patch	2021-11-20 15:17:30.000000000 +0100
@@ -0,0 +1,19 @@
+Description: Potential XSS attack via the user options page
+Origin: upstream, https://bugs.launchpad.net/mailman/+bug/1949401/+attachment/5540165/+files/patch_to_fix_1949401
+Bug: https://bugs.launchpad.net/mailman/+bug/1949401
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-43331
+Forwarded: not-needed
+Last-Update: 2021-11-20
+
+=== modified file 'Mailman/Cgi/options.py'
+--- a/Mailman/Cgi/options.py
++++ b/Mailman/Cgi/options.py
+@@ -342,6 +342,8 @@ def main():
+             varhelp = qs[0]
+     if varhelp:
+         # Sanitize the topic name.
++        while '%' in varhelp:
++            varhelp = urllib.unquote_plus(varhelp)
+         varhelp = re.sub('<.*', '', varhelp)
+         topic_details(mlist, doc, user, cpuser, userlang, varhelp)
+         return
diff -Nru mailman-2.1.29/debian/patches/CVE-2021-43332.patch mailman-2.1.29/debian/patches/CVE-2021-43332.patch
--- mailman-2.1.29/debian/patches/CVE-2021-43332.patch	1970-01-01 01:00:00.000000000 +0100
+++ mailman-2.1.29/debian/patches/CVE-2021-43332.patch	2021-11-20 15:17:30.000000000 +0100
@@ -0,0 +1,32 @@
+Description: A list moderator can crack the list admin password encrypted in a CSRF token
+Origin: upstream, https://bugs.launchpad.net/mailman/+bug/1949403/+attachment/5540558/+files/patch_to_fix_1949403
+Bug: https://bugs.launchpad.net/mailman/+bug/1949403
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-43332
+Forwarded: not-needed
+Last-Update: 2021-11-20
+
+=== modified file 'Mailman/CSRFcheck.py'
+--- a/Mailman/CSRFcheck.py
++++ b/Mailman/CSRFcheck.py
+@@ -45,7 +45,7 @@ def csrf_token(mlist, contexts, user=Non
+         
+     for context in contexts:
+         key, secret = mlist.AuthContextInfo(context, user)
+-        if key:
++        if key and secret:
+             break
+     else:
+         return None     # not authenticated
+--- a/Mailman/Cgi/admindb.py
++++ b/Mailman/Cgi/admindb.py
+@@ -59,8 +59,8 @@ if mm_cfg.DISPLAY_HELD_SUMMARY_SORT_BUTT
+ else:
+     ssort = SSENDER
+ 
+-AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin,
+-                 mm_cfg.AuthListModerator)
++AUTH_CONTEXTS = (mm_cfg.AuthListModerator, mm_cfg.AuthListAdmin,
++                 mm_cfg.AuthSiteAdmin)
+ 
+ 
+ 
diff -Nru mailman-2.1.29/debian/patches/series mailman-2.1.29/debian/patches/series
--- mailman-2.1.29/debian/patches/series	2021-10-22 14:32:39.000000000 +0200
+++ mailman-2.1.29/debian/patches/series	2021-11-20 15:17:30.000000000 +0100
@@ -13,3 +13,5 @@
 1844-CVE-2020-12108.patch
 1848-CVE-2020-15011.patch
 1873-CVE-2021-42096_CVE-2021-42097.patch
+CVE-2021-43331.patch
+CVE-2021-43332.patch

Reply to:

Follow-Ups:
- Bug#1000386: mailman 2.1.29-1+deb10u3 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Bug#1000377: bullseye-pu: package node-json-schema/0.3.0+_7.0.6-1+deb11u1
Next by Date: NEW changes in oldstable-new
Previous by thread: Bug#1000377: bullseye-pu: package node-json-schema/0.3.0+_7.0.6-1+deb11u1
Next by thread: Bug#1000386: mailman 2.1.29-1+deb10u3 flagged for acceptance
Index(es):
- Date
- Thread