Package "mailman"

  mailman (1:2.1.26-1ubuntu0.6) bionic-security; urgency=medium

  * SECURITY UPDATE: CRSF attack against a list admin
    - debian/patches/CVE-2021-44227.patch: don't allow unprivileged tokens
      for admin or admindb in Mailman/CSRFcheck.py, Mailman/Cgi/admin.py,
      Mailman/Cgi/admindb.py, Mailman/Cgi/edithtml.py.
    - CVE-2021-44227

 -- Marc Deslauriers <email address hidden> Tue, 07 Dec 2021 10:56:56 -0500

  mailman (1:2.1.26-1ubuntu0.5) bionic-security; urgency=medium

  * SECURITY UPDATE: XSS vulnerability
    - debian/patches/CVE-2021-43331.patch: sanitize URL from user
      option page in Mailman/Cgi/options.py.
    - CVE-2021-43331
  * SECURITY UPDATE: CSRF attack
    - debian/patches/CVE-2021-43332.patch: checks authorizations
      in Mailman/CSRFcheck.py, Mailman/Cgi/admindb.py.
    - CVE-2021-43332

 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 17 Nov 2021 09:29:36 -0300

  mailman (1:2.1.26-1ubuntu0.4) bionic-security; urgency=medium

  * SECURITY UPDATE: Potential Privilege escalation via the user
    options page. (LP: #1947639)
    - debian/patches/CVE-2021-42096-CVE-2021-42097.patch: Always make
      the CSRF token for the user
    - CVE-2021-42096
  * SECURITY UPDATE: Potential CSRF attack via the user options page
    (LP: #1947640)
    - debian/patches/CVE-2021-42096-CVE-2021-42097.patch: ensure token
      is for the user whose option page is being requested
    - CVE-2021-42097

 -- Steve Beattie <email address hidden> Thu, 21 Oct 2021 14:24:48 -0700

  mailman (1:2.1.26-1ubuntu0.3) bionic-security; urgency=medium

  * SECURITY UPDATE: Arbitrary Content Injection
    - debian/patches/CVE-2020-15011.diff: checks if
      roster private, if so log the info in Mailman/Cgi/private.py.
    - CVE-2020-15011

 -- <email address hidden> (Leonidas S. Barbosa) Thu, 25 Jun 2020 15:20:16 -0300

  mailman (1:2.1.26-1ubuntu0.2) bionic-security; urgency=medium

  * SECURITY UPDATE: Arbitrary Content Injection
    - debian/patches/CVE-2020-12108.diff: removed
      safeusers variable that allows arbitrary content
      to be injected in Mailman/Cgi/options.py.
    - CVE-2020-12108

 -- <email address hidden> (Leonidas S. Barbosa) Thu, 07 May 2020 09:51:53 -0300