Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 812853 (CVE-2021-40347) - <net-mail/postorius-1.3.5: Unauthenticated unsubscribe (CVE-2021-40347)
Summary: <net-mail/postorius-1.3.5: Unauthenticated unsubscribe (CVE-2021-40347)
Status: RESOLVED FIXED
Alias: CVE-2021-40347
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-09-13 01:01 UTC by Sam James
Modified: 2021-09-29 22:36 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-09-13 01:01:01 UTC
Description:
"An issue was discovered in views/list.py in GNU Mailman Postorius before 1.3.5. An attacker (logged into any account) can send a crafted POST request to unsubscribe any user from a mailing list, also revealing whether that address was subscribed in the first place."
Comment 1 Larry the Git Cow gentoo-dev 2021-09-28 08:43:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8d393c76a9277f3d09e57e0a7aecdf56c64ac469

commit 8d393c76a9277f3d09e57e0a7aecdf56c64ac469
Author:     Arthur Zamarin <arthurzam@gentoo.org>
AuthorDate: 2021-09-28 08:42:30 +0000
Commit:     Arthur Zamarin <arthurzam@gentoo.org>
CommitDate: 2021-09-28 08:42:30 +0000

    net-mail/postorius: add 1.3.5, enable py3.9, enable tests
    
    Bug: https://bugs.gentoo.org/812853
    Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org>

 net-mail/postorius/Manifest               |  1 +
 net-mail/postorius/postorius-1.3.5.ebuild | 48 +++++++++++++++++++++++++++++++
 2 files changed, 49 insertions(+)
Comment 2 John Helmert III gentoo-dev Security 2021-09-29 02:07:56 UTC
Thank you! Please cleanup.
Comment 3 Larry the Git Cow gentoo-dev 2021-09-29 20:07:58 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ba8e8975c9fa92c30adf5bbf78594852ae2f2af8

commit ba8e8975c9fa92c30adf5bbf78594852ae2f2af8
Author:     Arthur Zamarin <arthurzam@gentoo.org>
AuthorDate: 2021-09-29 20:07:33 +0000
Commit:     Arthur Zamarin <arthurzam@gentoo.org>
CommitDate: 2021-09-29 20:07:33 +0000

    net-mail/postorius: drop 1.3.3
    
    Bug: https://bugs.gentoo.org/812853
    Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org>

 net-mail/postorius/Manifest               |  1 -
 net-mail/postorius/postorius-1.3.3.ebuild | 32 -------------------------------
 2 files changed, 33 deletions(-)
Comment 4 John Helmert III gentoo-dev Security 2021-09-29 22:36:03 UTC
Thank you!