Format: 1.8
Date: Tue, 26 Oct 2021 17:47:22 +0000
Source: mailman
Binary: mailman
Architecture: s390x
Version: 1:2.1.29-1ubuntu3.1
Distribution: focal
Urgency: medium
Maintainer: Launchpad Build Daemon <buildd@bos02-s390x-013.buildd>
Changed-By: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
Description:
 mailman    - Web-based mailing list manager (legacy branch)
Launchpad-Bugs-Fixed: 1947639 1947640
Changes:
 mailman (1:2.1.29-1ubuntu3.1) focal-security; urgency=medium
 .
   * SECURITY UPDATE: Potential Privilege escalation via the user
     options page. (LP: #1947639)
     - debian/patches/CVE-2021-42096-CVE-2021-42097.patch: Always make
       the CSRF token for the user
     - CVE-2021-42096
   * SECURITY UPDATE: Potential CSRF attack via the user options page
     (LP: #1947640)
     - debian/patches/CVE-2021-42096-CVE-2021-42097.patch: ensure token
       is for the user whose option page is being requested
     - CVE-2021-42097
   * SECURITY UPDATE: Arbitrary Content Injection
     - debian/patches/CVE-2020-12108.diff: removed
       safeusers variable that allows arbitrary content
       to be injected in Mailman/Cgi/options.py.
     - debian/patches/CVE-2020-15011.diff: checks if
       roster private, if so log the info in Mailman/Cgi/private.py.
     - CVE-2020-12108
     - CVE-2020-15011
   * SECURITY UPDATE: XSS vulnerability
     - debian/patches/CVE-2020-12137.diff: use .bin extension
       for scrubbed application/octet-stream files in
       Mailman/Handlers/Scrubber.py.
     - CVE-2020-12137
Checksums-Sha1:
 88e237c40b593aa3b1dd048d0689bc1e20f79cd0 17384 mailman-dbgsym_2.1.29-1ubuntu3.1_s390x.ddeb
 28c00f4641ca8bfa838f899d4cf978e0d8b4309b 6598 mailman_2.1.29-1ubuntu3.1_s390x.buildinfo
 d67fdc5e5cb4d57da3374e4fa79ab9e83113aac8 4172224 mailman_2.1.29-1ubuntu3.1_s390x.deb
Checksums-Sha256:
 45450b717eed89912cbe38aba163edc870615676d2affe86bc00d50e5bf06ad8 17384 mailman-dbgsym_2.1.29-1ubuntu3.1_s390x.ddeb
 cd1bb07e33c1ca4a8711b8f97bce1e3d29e47c998d4bbfb51f98e3caa92c9b70 6598 mailman_2.1.29-1ubuntu3.1_s390x.buildinfo
 0e912c327ff493e3ae4c8ba3029f7ea2c5ac7cf97435fb6eee071335e0d8a977 4172224 mailman_2.1.29-1ubuntu3.1_s390x.deb
Files:
 3df2b046e5e652f8a639077de9042436 17384 debug optional mailman-dbgsym_2.1.29-1ubuntu3.1_s390x.ddeb
 a2cd5c1071826e2666b64482e0040e64 6598 mail optional mailman_2.1.29-1ubuntu3.1_s390x.buildinfo
 fc5b93b5e0eaedc06a0dc2730275afc4 4172224 mail optional mailman_2.1.29-1ubuntu3.1_s390x.deb
Original-Maintainer: Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>