Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 592858 (CVE-2016-6893) - <net-mail/mailman-2.1.23: Cross-site request forgery (CSRF) vulnerability (CVE-2016-6893)
Summary: <net-mail/mailman-2.1.23: Cross-site request forgery (CSRF) vulnerability (CV...
Status: RESOLVED FIXED
Alias: CVE-2016-6893
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-04 09:44 UTC by Thomas Stein
Modified: 2017-02-22 11:11 UTC (History)
3 users (show)

See Also:
Package list:
net-mail/mailman-2.1.23
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Stein 2016-09-04 09:44:56 UTC
Hello Devs.

Mailman 2.1.23 has been released. An updated package would be nice.

thanks and cheers

Reproducible: Always
Comment 1 Jeroen Roovers gentoo-dev 2016-09-04 11:45:56 UTC
-*- coding: iso-8859-1 -*-
Mailman - The GNU Mailing List Management System
Copyright (C) 1998-2016 by the Free Software Foundation, Inc.
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA

Here is a history of user visible changes to Mailman.

2.1.23 (27-Aug-2016)

  Security

    - CSRF protection has been extended to the user options page.  This was
      actually fixed by Tokio Kikuchi as part of the fix for LP: #775294 and
      intended for Mailman 2.1.15, but that fix wasn't completely merged at the
      time.  The full fix also addresses the admindb, and edithtml pages as
      well as the user options page and the previously fixed admin pages.
      Thanks to Nishant Agarwala for reporting the issue.  CVE-2016-6893
      (LP: #1614841)
Comment 2 Kristian Fiskerstrand gentoo-dev Security 2016-09-04 11:49:37 UTC
2.1.23 (27-Aug-2016)

  Security

    - CSRF protection has been extended to the user options page.  This was
      actually fixed by Tokio Kikuchi as part of the fix for LP: #775294 and
      intended for Mailman 2.1.15, but that fix wasn't completely merged at the
      time.  The full fix also addresses the admindb, and edithtml pages as
      well as the user options page and the previously fixed admin pages.
      Thanks to Nishant Agarwala for reporting the issue.  CVE-2016-6893
      (LP: #1614841)
Comment 3 Thomas Stein 2016-11-02 14:02:34 UTC
Hello Devs.

Any progress on this issue?

thanks and cheers
t.
Comment 4 Hanno Böck gentoo-dev 2016-11-15 17:18:34 UTC
I've committed an ebuild for 2.1.23. This also includes a fix for the eclass changes (done in 2.1.20-r1) and the python team is asking for deprecation of the old eclass.

I want to let this settle for a few days and see if new issues pop up, then we can start stabilizing.
Comment 5 Thomas Stein 2016-11-15 19:19:32 UTC
Thanks.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2016-11-17 06:49:04 UTC
CVE-2016-6893 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6893):
  Cross-site request forgery (CSRF) vulnerability in the user options page in
  GNU Mailman 2.1.x before 2.1.23 allows remote attackers to hijack the
  authentication of arbitrary users for requests that modify an option, as
  demonstrated by gaining access to the credentials of a victim's account.
Comment 7 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-11-26 06:08:27 UTC
@maintainer(s), would you like to stabilize?
Comment 8 Hanno Böck gentoo-dev 2016-11-26 07:53:11 UTC
Yes, was running fine for a few days now on my server, we can start stabilizing.

Target Keywords:
KEYWORDS="amd64 ppc x86"
Comment 9 Agostino Sarubbo gentoo-dev 2016-11-26 10:37:10 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-11-26 10:44:52 UTC
x86 stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-01-15 15:57:49 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 12 Thomas Deutschmann gentoo-dev Security 2017-01-15 19:20:13 UTC
GLSA Vote: No
Comment 13 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-02-22 11:11:41 UTC
Tree is clean.