Summary: | <net-mail/mailman-2.1.23: Cross-site request forgery (CSRF) vulnerability (CVE-2016-6893) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Thomas Stein <himbeere> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | hanno, net-mail+disabled, pacho |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B4 [noglsa cve] | ||
Package list: |
net-mail/mailman-2.1.23
|
Runtime testing required: | --- |
Description
Thomas Stein
2016-09-04 09:44:56 UTC
-*- coding: iso-8859-1 -*- Mailman - The GNU Mailing List Management System Copyright (C) 1998-2016 by the Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA Here is a history of user visible changes to Mailman. 2.1.23 (27-Aug-2016) Security - CSRF protection has been extended to the user options page. This was actually fixed by Tokio Kikuchi as part of the fix for LP: #775294 and intended for Mailman 2.1.15, but that fix wasn't completely merged at the time. The full fix also addresses the admindb, and edithtml pages as well as the user options page and the previously fixed admin pages. Thanks to Nishant Agarwala for reporting the issue. CVE-2016-6893 (LP: #1614841) 2.1.23 (27-Aug-2016) Security - CSRF protection has been extended to the user options page. This was actually fixed by Tokio Kikuchi as part of the fix for LP: #775294 and intended for Mailman 2.1.15, but that fix wasn't completely merged at the time. The full fix also addresses the admindb, and edithtml pages as well as the user options page and the previously fixed admin pages. Thanks to Nishant Agarwala for reporting the issue. CVE-2016-6893 (LP: #1614841) Hello Devs. Any progress on this issue? thanks and cheers t. I've committed an ebuild for 2.1.23. This also includes a fix for the eclass changes (done in 2.1.20-r1) and the python team is asking for deprecation of the old eclass. I want to let this settle for a few days and see if new issues pop up, then we can start stabilizing. Thanks. CVE-2016-6893 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6893): Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x before 2.1.23 allows remote attackers to hijack the authentication of arbitrary users for requests that modify an option, as demonstrated by gaining access to the credentials of a victim's account. @maintainer(s), would you like to stabilize? Yes, was running fine for a few days now on my server, we can start stabilizing. Target Keywords: KEYWORDS="amd64 ppc x86" amd64 stable x86 stable ppc stable. Maintainer(s), please cleanup. Security, please vote. GLSA Vote: No Tree is clean. |