FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mailman -- brute-force vuln on list admin password, and CSRF vuln in releases before 2.1.35

Affected packages
mailman < 2.1.35
mailman-with-htdig < 2.1.35


VuXML ID 8d65aa3b-31ce-11ec-8c32-a14e8e520dc7
Discovery 2021-10-18
Entry 2021-10-20

Mark Sapiro reports:

A potential for for a list member to carry out an off-line brute force attack to obtain the list admin password has been reported by Andre Protas, Richard Cloke and Andy Nuttall of Apple. This is fixed.

A CSRF attack via the user options page could allow takeover of a users account. This is fixed.


CVE Name CVE-2021-42096
CVE Name CVE-2021-42097