Security update for mailman
This update for mailman fixes the following issues:
Update to 2.1.35 to fix 2 security issues:
- A potential for for a list member to carry out an off-line brute force
attack to obtain the list admin password has been reported by Andre
Protas, Richard Cloke and Andy Nuttall of Apple. This is fixed.
CVE-2021-42096 (boo#1191959, LP:#1947639)
- A CSRF attack via the user options page could allow takeover of a users
account. This is fixed. CVE-2021-42097 (boo#1191960, LP:#1947640)
- make package build reproducible (boo#1047218)
This update was imported from the openSUSE:Leap:15.2:Update update project.
-
Submitted by
Bernhard Wiedemann (bmwiedemann)
Fixed bugs
bnc#1191959
VUL-0: CVE-2021-42096: mailman: remote privilege escalation in GNU Mailman before 2.1.35 via csrf_token derived from admin password
bnc#1047218
trackerbug: packages do not build reproducibly from including build time
bnc#1191960
VUL-0: CVE-2021-42097: mailman: remote privilege escalation in GNU Mailman before 2.1.35 via csrf_token
