FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mailman -- brute-force vuln on list admin password, and CSRF vuln in releases before 2.1.35

Affected packages
mailman < 2.1.35
mailman-with-htdig < 2.1.35

Details

VuXML ID 8d65aa3b-31ce-11ec-8c32-a14e8e520dc7
Discovery 2021-10-18
Entry 2021-10-20

Mark Sapiro reports:

A potential for for a list member to carry out an off-line brute force attack to obtain the list admin password has been reported by Andre Protas, Richard Cloke and Andy Nuttall of Apple. This is fixed.

A CSRF attack via the user options page could allow takeover of a users account. This is fixed.

References

CVE Name CVE-2021-42096
CVE Name CVE-2021-42097
URL https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/1873/NEWS#L8
URL https://bugs.launchpad.net/mailman/+bug/1947639
URL https://bugs.launchpad.net/mailman/+bug/1947640