=====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN548
_____________________________________________________________________

DATE                : 21/10/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Mailman versions prior to 2.1.

=====================================================================
https://mail.python.org/archives/list/mailman-users@python.org/thread/IKCO6JU755AP5G5TKMBJL6IEZQTTNPDQ/
_____________________________________________________________________

Mark Sapiro
12 Oct 2021 04:02

A couple of vulnerabilities have recently been reported. Thanks to Andre
Protas, Richard Cloke and Andy Nuttall of Apple for reporting these and
helping with the development of a fix.

CVE-2021-42096 could allow a list member to discover the list admin
password.

CVE-2021-42097 could allow a list member to create a successful CSRF
attack against another list member enabling takeover of the members account.

These attacks can't be carried out by non-members so may not be of
concern for sites with only trusted list members.

In any case, I am planning to make a 2.1.35 release and to post a patch
for those who don't want to upgrade to address these issues. This is
scheduled for Tuesday, October 19.



Mark Sapiro mark@msapiro.net        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================