Unreleased patch for this issue:
Author: Kunal Mehta <firstname.lastname@example.org>
Date: Tue Jun 8 00:54:14 2021 -0400
Check the REST API password in a way that is resistant to timing attacks (CVE-2021-34337)
Using basic string equality is vulnerable to timing attacks as it will
short circuit at the first wrong character. Using hmac.compare_digest
avoids that issue and will take the same time, regardless of whether
the value is correct or not.
This is only exploitable if an attacker can talk directly to the
REST API, which by default is bound to localhost.
Created attachment 759930 [details, diff]
It looks like mailman-3.3.6 is already out.
That fix is included in mailman-3.3.5 according to the upstream changelog ( «URI scrubbed because my bugzilla account is less than 24 hours old» ).
This is a patch which I found was required to get mailman-3.3.5 to run while testing. It should also be required for 3.3.6, but I have not tested it.
Created attachment 759983 [details, diff]
Patch from upstream.