Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 1 Dec 2021 19:10:07 GMT
From:      Matthias Andree <mandree@FreeBSD.org>
To:        ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Subject:   git: f1e61db57904 - main - security/vuxml: mail/mailman < 2.1.38 CSRF vuln.
Message-ID:  <202112011910.1B1JA7fL077773@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch main has been updated by mandree:

URL: https://cgit.FreeBSD.org/ports/commit/?id=f1e61db579041f50e45a063829e3e128965dd55d

commit f1e61db579041f50e45a063829e3e128965dd55d
Author:     Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2021-12-01 19:06:08 +0000
Commit:     Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2021-12-01 19:09:11 +0000

    security/vuxml: mail/mailman < 2.1.38 CSRF vuln.
    
    Security:       CVE-2021-44227
    Security:       0d6efbe3-52d9-11ec-9472-e3667ed6088e
---
 security/vuxml/vuln-2021.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml
index 03289dce1536..5eff6e567470 100644
--- a/security/vuxml/vuln-2021.xml
+++ b/security/vuxml/vuln-2021.xml
@@ -1,3 +1,51 @@
+  <vuln vid="0d6efbe3-52d9-11ec-9472-e3667ed6088e">
+	  <topic>mailman &lt; 2.1.38 -- CSRF vulnerability of list mod or member against list admin page</topic>
+    <affects>
+      <package>
+	<name>mailman</name>
+	<range><lt>2.1.38</lt></range>
+      </package>
+      <package>
+	<name>mailman-exim4</name>
+	<range><lt>2.1.38</lt></range>
+      </package>
+      <package>
+	<name>mailman-exim4-with-htdig</name>
+	<range><lt>2.1.38</lt></range>
+      </package>
+      <package>
+	<name>mailman-postfix</name>
+	<range><lt>2.1.38</lt></range>
+      </package>
+      <package>
+	<name>mailman-postfix-with-htdig</name>
+	<range><lt>2.1.38</lt></range>
+      </package>
+      <package>
+	<name>mailman-with-htdig</name>
+	<range><lt>2.1.38</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Mark Sapiro reports:</p>
+	<blockquote cite="https://bugs.launchpad.net/mailman/+bug/1952384">;
+	  <p>A list moderator or list member can potentially carry out a CSRF attack
+	    by getting a list admin to visit a crafted web page.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2021-44227</cvename>
+      <url>https://bugs.launchpad.net/mailman/+bug/1952384</url>;
+      <url>https://www.mail-archive.com/mailman-users@python.org/msg73979.html</url>;
+    </references>
+    <dates>
+      <discovery>2021-11-25</discovery>
+      <entry>2021-12-01</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="4548ec97-4d38-11ec-a539-0800270512f4">
     <topic>rubygem-cgi -- cookie prefix spoofing in CGI::Cookie.parse</topic>
     <affects>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202112011910.1B1JA7fL077773>