| fungi | anybody happen to know if there's any sru in progress for fixing CVE-2021-42096 and CVE-2021-42097 in focal's mailman package? | 15:24 |
|---|---|---|
| ubottu | GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived from the admin password, and may be useful in conducting a brute-force attack against that password. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42096> | 15:24 |
| ubottu | GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover). <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42097> | 15:24 |
| fungi | it got addressed in bionic and xenial last week | 15:25 |
| grimmware | amurray, sbeattie: hey, the cvescan json is still out of date meaning we're kinda flying blind on our system patching - is there an ETA for this getting fixed? | 15:40 |
| ebarretto | fungi, it is on our radar to patch it for focal, if I remember correctly we have some other cves to fix for it, but we are currently sprinting so we don't have a proper ETA, but it is in our radar for sure | 16:17 |
| fungi | ebarretto: oh, no worries, just checking whether it had fallen through the cracks. it's not urgent for me, i've just hand-patched the relevant files on our servers for the time being anyway | 16:19 |
| fungi | and thanks for the info! | 16:20 |
| grimmware | amurray, sbeattie: equally, if the downtime is due to bugs that are addressable by contributions from people outside of canonical I'm pretty sure we could probably dedicate some time to some patches | 16:48 |
| grimmware | (I appreciate that's probably a stretch but you never know until you ask) | 16:49 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!