Bug#1006525: buster-pu: package mailman/1:2.1.29-1+deb10u5
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: carnil@debian.org
Hi Stable release managers
Unfortunately on top of the 1:2.1.29-1+deb10u4 another update is
needed:
The fix for CVE-2021-42097 was case sensitive and should not be.
The fix for CVE-2021-44227 introduced a potential NameError in
logging.
See:
https://mail.python.org/archives/list/mailman-announce@python.org/thread/D54X2LXETPMVP5KZNM2WP6Z6UOPJXSVD/
On top of 1:2.1.29-1+deb10u4 I'm thus applying the upstream patch to
resolve those issues:
> mailman (1:2.1.29-1+deb10u5) buster; urgency=medium
>
> * Non-maintainer upload by the Security Team.
> * CSRF check for user tokens should not be case sensitive (Closes: #1001685)
> - The fix for CVE-2021-42097 requires that the user submitting a
> user options form match the user in the CSRF token submitted with
> the form, but the match is case sensitive and should not be.
> - There is also a potential NameError exception in logging a
> mismatch.
>
> -- Salvatore Bonaccorso <carnil@debian.org> Sat, 26 Feb 2022 20:17:25 +0100
Attached is as well the debdiff (to the previous version only, not the base
version, let me know if you want to have both in this case)
Regards,
Salvatore
diff -Nru mailman-2.1.29/debian/changelog mailman-2.1.29/debian/changelog
--- mailman-2.1.29/debian/changelog 2021-12-12 10:42:54.000000000 +0100
+++ mailman-2.1.29/debian/changelog 2022-02-26 20:17:25.000000000 +0100
@@ -1,3 +1,15 @@
+mailman (1:2.1.29-1+deb10u5) buster; urgency=medium
+
+ * Non-maintainer upload by the Security Team.
+ * CSRF check for user tokens should not be case sensitive (Closes: #1001685)
+ - The fix for CVE-2021-42097 requires that the user submitting a
+ user options form match the user in the CSRF token submitted with
+ the form, but the match is case sensitive and should not be.
+ - There is also a potential NameError exception in logging a
+ mismatch.
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sat, 26 Feb 2022 20:17:25 +0100
+
mailman (1:2.1.29-1+deb10u4) buster; urgency=medium
* Non-maintainer upload by the Security Team.
diff -Nru mailman-2.1.29/debian/patches/1954694.patch mailman-2.1.29/debian/patches/1954694.patch
--- mailman-2.1.29/debian/patches/1954694.patch 1970-01-01 01:00:00.000000000 +0100
+++ mailman-2.1.29/debian/patches/1954694.patch 2022-02-26 20:17:25.000000000 +0100
@@ -0,0 +1,30 @@
+Description: CSRF check for user tokens should not be case sensitive
+ The fix for CVE-2021-42097 requires that the user submitting a user options
+ form match the user in the CSRF token submitted with the form, but the match is
+ case sensitive and should not be.
+ .
+ There is also a potential NameError exception in logging a mismatch.
+Origin: upstream, https://bugs.launchpad.net/mailman/+bug/1954694/+attachment/5547352/+files/patch.txt
+Bug: https://bugs.launchpad.net/mailman/+bug/1954694
+Bug-Debian: https://bugs.debian.org/1001685
+Forwarded: not-needed
+Last-Update: 2021-12-13
+
+=== modified file 'Mailman/CSRFcheck.py'
+--- old/Mailman/CSRFcheck.py 2021-11-30 17:50:49 +0000
++++ new/Mailman/CSRFcheck.py 2021-12-13 17:54:34 +0000
+@@ -85,11 +85,11 @@
+ # of the fix for CVE-2021-42096 but it must match the user for
+ # whom the options page is requested.
+ raw_user = UnobscureEmail(urllib.unquote(user))
+- if cgi_user and cgi_user != raw_user:
++ if cgi_user and cgi_user.lower() != raw_user.lower():
+ syslog('mischief',
+ 'Form for user %s submitted with CSRF token '
+ 'issued for %s.',
+- options_user, raw_user)
++ cgi_user, raw_user)
+ return False
+ context = keydict.get(key)
+ key, secret = mlist.AuthContextInfo(context, user)
+
diff -Nru mailman-2.1.29/debian/patches/series mailman-2.1.29/debian/patches/series
--- mailman-2.1.29/debian/patches/series 2021-12-12 10:42:54.000000000 +0100
+++ mailman-2.1.29/debian/patches/series 2022-02-26 20:17:25.000000000 +0100
@@ -16,3 +16,4 @@
CVE-2021-43331.patch
CVE-2021-43332.patch
CVE-2021-44227.patch
+1954694.patch
Reply to: