Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 592858 (CVE-2016-6893)

Summary: <net-mail/mailman-2.1.23: Cross-site request forgery (CSRF) vulnerability (CVE-2016-6893)
Product: Gentoo Security Reporter: Thomas Stein <himbeere>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: hanno, net-mail+disabled, pacho
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [noglsa cve]
Package list:
net-mail/mailman-2.1.23
 Runtime testing required: ---

Description Thomas Stein 2016-09-04 09:44:56 UTC 
Hello Devs.

Mailman 2.1.23 has been released. An updated package would be nice.

thanks and cheers

Reproducible: Always
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2016-09-04 11:45:56 UTC 
-*- coding: iso-8859-1 -*-
Mailman - The GNU Mailing List Management System
Copyright (C) 1998-2016 by the Free Software Foundation, Inc.
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA

Here is a history of user visible changes to Mailman.

2.1.23 (27-Aug-2016)

  Security

    - CSRF protection has been extended to the user options page.  This was
      actually fixed by Tokio Kikuchi as part of the fix for LP: #775294 and
      intended for Mailman 2.1.15, but that fix wasn't completely merged at the
      time.  The full fix also addresses the admindb, and edithtml pages as
      well as the user options page and the previously fixed admin pages.
      Thanks to Nishant Agarwala for reporting the issue.  CVE-2016-6893
      (LP: #1614841)
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-09-04 11:49:37 UTC 
2.1.23 (27-Aug-2016)

  Security

    - CSRF protection has been extended to the user options page.  This was
      actually fixed by Tokio Kikuchi as part of the fix for LP: #775294 and
      intended for Mailman 2.1.15, but that fix wasn't completely merged at the
      time.  The full fix also addresses the admindb, and edithtml pages as
      well as the user options page and the previously fixed admin pages.
      Thanks to Nishant Agarwala for reporting the issue.  CVE-2016-6893
      (LP: #1614841)
Comment 3 Thomas Stein 2016-11-02 14:02:34 UTC 
Hello Devs.

Any progress on this issue?

thanks and cheers
t.
Comment 4 Hanno Böck gentoo-dev 2016-11-15 17:18:34 UTC 
I've committed an ebuild for 2.1.23. This also includes a fix for the eclass changes (done in 2.1.20-r1) and the python team is asking for deprecation of the old eclass.

I want to let this settle for a few days and see if new issues pop up, then we can start stabilizing.
Comment 5 Thomas Stein 2016-11-15 19:19:32 UTC 
Thanks.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2016-11-17 06:49:04 UTC 
CVE-2016-6893 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6893):
  Cross-site request forgery (CSRF) vulnerability in the user options page in
  GNU Mailman 2.1.x before 2.1.23 allows remote attackers to hijack the
  authentication of arbitrary users for requests that modify an option, as
  demonstrated by gaining access to the credentials of a victim's account.
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-11-26 06:08:27 UTC 
@maintainer(s), would you like to stabilize?
Comment 8 Hanno Böck gentoo-dev 2016-11-26 07:53:11 UTC 
Yes, was running fine for a few days now on my server, we can start stabilizing.

Target Keywords:
KEYWORDS="amd64 ppc x86"
Comment 9 Agostino Sarubbo gentoo-dev 2016-11-26 10:37:10 UTC 
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-11-26 10:44:52 UTC 
x86 stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-01-15 15:57:49 UTC 
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-15 19:20:13 UTC 
GLSA Vote: No
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2017-02-22 11:11:41 UTC 
Tree is clean.