[20:10] <fungi> i'm assuming the answer is probably "yes" so sorry if this is being asked for the 10th time today, but are CVE-2021-42096 and CVE-2021-42097 for mailman 2.1 already on somebody's radar? looks like the lp bugs include directly backportable patches, but i don't see any mention in the ubuntu security tracker...
[20:10] <ubottu> GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived from the admin password, and may be useful in conducting a brute-force attack against that password. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42096>
[20:10] <fungi> https://mail.python.org/archives/list/mailman-announce@python.org/thread/IKCO6JU755AP5G5TKMBJL6IEZQTTNPDQ/
[20:10] <ubottu> GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover). <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42097>
[20:13] <sarnold> fungi: I think you're the first, and I don't see them in our database yet
[20:14] <fungi> thanks sarnold! also, i hate being first :/
[20:15] <fungi> luckily it's all python, so we'll probably just end up hand-patching our servers for those, but now that it's made the rounds on the oss-sec ml i figure there's going to be others looking closer
=== jdstrand_ is now known as jdstrand
[20:44] <sbeattie> fungi: sorry, which lp bugs?
[20:45] <clarkb> I think https://bugs.launchpad.net/mailman/+bug/1947639 and https://bugs.launchpad.net/mailman/+bug/1947640. The patch for both is apparently the same.
[20:45] <sarnold> https://bugs.launchpad.net/mailman/+bug/1947639 and https://bugs.launchpad.net/mailman/+bug/1947640
[20:45] <ubottu> Launchpad bug 1947639 in GNU Mailman "Potential Privilege escalation via the user options page." [Medium, Fix Released]
[20:45] <ubottu> Launchpad bug 1947640 in GNU Mailman "Potential CSRF attack via the user options page." [Medium, Fix Released]
[20:45] <sarnold> sbeattie: I've added these to uct
[21:00] <sbeattie> thanks
[21:42] <fungi> yep those, sorry stepped away to attend to a hot wok for a while
[21:42] <fungi> the ones linked from the ml post
[21:43] <fungi> thanks for the quick attention!
[22:42] <sbeattie> mailman/bionic is building in https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/