[15:24] <fungi> anybody happen to know if there's any sru in progress for fixing CVE-2021-42096 and CVE-2021-42097 in focal's mailman package?
[15:24] <ubottu> GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived from the admin password, and may be useful in conducting a brute-force attack against that password. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42096>
[15:24] <ubottu> GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover). <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42097>
[15:25] <fungi> it got addressed in bionic and xenial last week
[15:40] <grimmware> amurray, sbeattie: hey, the cvescan json is still out of date meaning we're kinda flying blind on our system patching - is there an ETA for this getting fixed?
[16:17] <ebarretto> fungi, it is on our radar to patch it for focal, if I remember correctly we have some other cves to fix for it, but we are currently sprinting so we don't have a proper ETA, but it is in our radar for sure
[16:19] <fungi> ebarretto: oh, no worries, just checking whether it had fallen through the cracks. it's not urgent for me, i've just hand-patched the relevant files on our servers for the time being anyway
[16:20] <fungi> and thanks for the info!
[16:48] <grimmware> amurray, sbeattie: equally, if the downtime is due to bugs that are addressable by contributions from people outside of canonical I'm pretty sure we could probably dedicate some time to some patches
[16:49] <grimmware> (I appreciate that's probably a stretch but you never know until you ask)