GNU Mailman

CSRF check for user tokens should not be case sensitive.

Bug #1954694 reported by Mark Sapiro on 2021-12-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	GNU Mailman	Fix Released	Medium	Unassigned	GNU Mailman 2.1.39

Bug Description

The fix for CVE-2021-42097 requires that the user submitting a user options form match the user in the CSRF token submitted with the form, but the match is case sensitive and should not be.

There is also a potential NameError exception in logging a mismatch.

See original description

Related branches

lp:mailman/2.1

Mark Sapiro (msapiro) on 2021-12-13

description:

updated

Revision history for this message

Mark Sapiro (msapiro) wrote on 2021-12-13:

Patch to fix this issue. Edit (844 bytes, text/plain)

Mark Sapiro (msapiro) on 2021-12-13

Changed in mailman:
status:	In Progress → Fix Released

Ant Phyo Hlyand Tun (antphyo) on 2022-01-18

Changed in mailman:
assignee:	Mark Sapiro (msapiro) → Ant Phyo Hlyand Tun (antphyo)

Mark Sapiro (msapiro) on 2022-01-18

Changed in mailman:
assignee:	Ant Phyo Hlyand Tun (antphyo) → nobody

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Patch to fix this issue. Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.