Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 792276 (CVE-2021-33038) - net-mail/hyperkitty: Possible private archive disclosure during migration (CVE-2021-33038)
Summary: net-mail/hyperkitty: Possible private archive disclosure during migration (CV...
Status: RESOLVED FIXED
Alias: CVE-2021-33038
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://gitlab.com/mailman/hyperkitty...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-26 16:48 UTC by Sam James
Modified: 2022-06-05 15:09 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-26 16:48:26 UTC
Description:
"An issue was discovered in management/commands/hyperkitty_import.py in HyperKitty through 1.3.4. When importing a private mailing list's archives, these archives are publicly visible for the duration of the import. For example, sensitive information might be available on the web for an hour during a large migration from Mailman 2 to Mailman 3."

https://gitlab.com/mailman/hyperkitty/-/commit/9025324597d60b2dff740e49b70b15589d6804fa
https://gitlab.com/mailman/hyperkitty/-/issues/380
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:22:14 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:30:28 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:38:24 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:46:32 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 18:02:31 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:10:47 UTC
Package list is empty or all packages have requested keywords.
Comment 7 Larry the Git Cow gentoo-dev 2022-06-05 14:18:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a69b3f81f685a547f1f29a9c498fea7ab259a985

commit a69b3f81f685a547f1f29a9c498fea7ab259a985
Author:     Jakov Smolić <jsmolic@gentoo.org>
AuthorDate: 2022-06-05 14:07:18 +0000
Commit:     Jakov Smolić <jsmolic@gentoo.org>
CommitDate: 2022-06-05 14:16:16 +0000

    net-mail/hyperkitty: treeclean
    
    Closes: https://bugs.gentoo.org/836724
    Closes: https://bugs.gentoo.org/832249
    Bug: https://bugs.gentoo.org/792276
    Signed-off-by: Jakov Smolić <jsmolic@gentoo.org>

 net-mail/hyperkitty/Manifest                |  1 -
 net-mail/hyperkitty/hyperkitty-1.3.3.ebuild | 45 -----------------------------
 net-mail/hyperkitty/metadata.xml            |  9 ------
 profiles/package.mask                       |  1 -
 4 files changed, 56 deletions(-)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-05 15:09:10 UTC
All done!