'[Mailman-Developers] Re: Mailman 2.1.38 security release'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mailman-developers
Subject:    [Mailman-Developers] Re: Mailman 2.1.38 security release
From:       Mark Sapiro <mark () msapiro ! net>
Date:       2021-11-30 18:51:25
Message-ID: 07aec7a9-12ee-201d-bb7f-40bc6c989bea () msapiro ! net
[Download RAW message or body]

[Attachment #2 (multipart/signed)]

[Attachment #4 (multipart/mixed)]

[Attachment #6 (multipart/mixed)]


I am pleased to announce the release of Mailman 2.1.38.

This is a security release. It fixes
https://bugs.launchpad.net/mailman/+bug/1952384 CVE-2021-44227. This 
could allow a list moderator or member to carry out a CSRF attack 
against the list's admin page.

For those who just want a patch for the security issues, patches are
atteched.

As noted Mailman 2.1.30 was the last feature release of the Mailman 2.1
branch from the GNU Mailman project. There has been some discussion as
to what this means. It means there will be no more releases from the GNU
Mailman project containing any new features. There may be future patch
releases to address the following:

i18n updates.
security issues.
bugs affecting operation for which no satisfactory workaround exists.

Mailman 2.1.38 is the eighth such patch release.

Mailman is free software for managing email mailing lists and
e-newsletters. Mailman is used for all the python.org and
SourceForge.net mailing lists, as well as at hundreds of other sites.

For more information, please see our web site at one of:

http://www.list.org
https://www.gnu.org/software/mailman
http://mailman.sourceforge.net/

Mailman 2.1.38 can be downloaded from

https://launchpad.net/mailman/2.1/
https://ftp.gnu.org/gnu/mailman/
https://sourceforge.net/projects/mailman/

-- 
Mark Sapiro <mark@msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

["patch.txt" (text/plain)]

=== modified file 'Mailman/CSRFcheck.py'
--- old/Mailman/CSRFcheck.py	2021-11-12 23:23:52 +0000
+++ new/Mailman/CSRFcheck.py	2021-11-30 17:50:49 +0000
@@ -55,7 +55,7 @@
     token = binascii.hexlify(marshal.dumps((issued, keymac)))
     return token
 
-def csrf_check(mlist, token, options_user=None):
+def csrf_check(mlist, token, cgi_user=None):
     """ check token by mailman cookie validation algorithm """
     try:
         issued, keymac = marshal.loads(binascii.unhexlify(token))
@@ -67,12 +67,25 @@
             key, user = key.split('+', 1)
         else:
             user = None
+        # Don't allow unprivileged tokens for admin or admindb.
+        if cgi_user == 'admin':
+            if key not in ('admin', 'site'):
+                syslog('mischief',
+                       'admin form submitted with CSRF token issued for %s.',
+                       key + '+' + user if user else key)
+                return False
+        elif cgi_user == 'admindb':
+            if key not in ('moderator', 'admin', 'site'):
+                syslog('mischief',
+                       'admindb form submitted with CSRF token issued for %s.',
+                       key + '+' + user if user else key)
+                return False
         if user:
             # This is for CVE-2021-42097.  The token is a user token because
             # of the fix for CVE-2021-42096 but it must match the user for
             # whom the options page is requested.
             raw_user = UnobscureEmail(urllib.unquote(user))
-            if options_user and options_user != raw_user:
+            if cgi_user and cgi_user != raw_user:
                 syslog('mischief',
                        'Form for user %s submitted with CSRF token '
                        'issued for %s.',

=== modified file 'Mailman/Cgi/admin.py'
--- old/Mailman/Cgi/admin.py	2019-10-05 21:32:22 +0000
+++ new/Mailman/Cgi/admin.py	2021-11-30 17:50:49 +0000
@@ -107,7 +107,8 @@
                    'legend']
     params = cgidata.keys()
     if set(params) - set(safe_params):
-        csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token'))
+        csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token'),
+                                  'admin')
     else:
         csrf_checked = True
     # if password is present, void cookie to force password authentication.

=== modified file 'Mailman/Cgi/admindb.py'
--- old/Mailman/Cgi/admindb.py	2021-11-12 23:23:52 +0000
+++ new/Mailman/Cgi/admindb.py	2021-11-30 17:50:49 +0000
@@ -144,7 +144,8 @@
     safe_params = ['adminpw', 'admlogin', 'msgid', 'sender', 'details']
     params = cgidata.keys()
     if set(params) - set(safe_params):
-        csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token'))
+        csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token'),
+                                  'admindb')
     else:
         csrf_checked = True
     # if password is present, void cookie to force password authentication.

=== modified file 'Mailman/Cgi/edithtml.py'
--- old/Mailman/Cgi/edithtml.py	2018-07-11 06:52:22 +0000
+++ new/Mailman/Cgi/edithtml.py	2021-11-30 17:50:49 +0000
@@ -111,7 +111,8 @@
     safe_params = ['VARHELP', 'adminpw', 'admlogin']
     params = cgidata.keys()
     if set(params) - set(safe_params):
-        csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token'))
+        csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token'),
+                                  'admin')
     else:
         csrf_checked = True
     # if password is present, void cookie to force password authentication.


["OpenPGP_signature.asc" (application/pgp-signature)]

_______________________________________________
Mailman-Developers mailing list -- mailman-developers@python.org
To unsubscribe send an email to mailman-developers-leave@python.org
https://mail.python.org/mailman3/lists/mailman-developers.python.org/
Mailman FAQ: https://wiki.list.org/x/AgA3

Security Policy: https://wiki.list.org/x/QIA9


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic