Control: tags -1 + upstream security Hi Thomas,
On Tue, Dec 14, 2021 at 11:23:53AM +0100, Thomas Arendsen Hein wrote: > Package: mailman > Version: 1:2.1.29-1+deb10u2 > Severity: important > > Hi! > > Mailman 2.1.38 has been released to fix CVE-2021-44227 (a list > member or moderator can get a CSRF token and craft an admin request), > and 2.1.39 has been released to fix a regression in above fix and > to update the fix for CVE-2021-42097. > > https://mail.python.org/archives/list/mailman-annou...@python.org/thread/D54X2LXETPMVP5KZNM2WP6Z6UOPJXSVD/ > Can you update the packages for Debian buster (and ideally for > stretch LTS, too)? See: https://bugs.debian.org/1001556 so it's pending for the next buster point release. > In bug report #1000367 an updated package 1:2.1.29-1+deb10u3 has > been created, but it is not yet available via buster-security. > That's why I have marked this ticket with "1:2.1.29-1+deb10u2" > above. Samewise: https://bugs.debian.org/1000386 So in summary, all the CVE fixes are already pending for the next point release for buster. Hope this helps, Regards, Salvatore