FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mailman -- 2.1.37 fixes XSS via user options, and moderator offline brute-force vuln against list admin password

Affected packages
mailman < 2.1.37
mailman-exim4 < 2.1.37
mailman-exim4-with-htdig < 2.1.37
mailman-postfix < 2.1.37
mailman-postfix-with-htdig < 2.1.37
mailman-with-htdig < 2.1.37

Details

VuXML ID 9d7a2b54-4468-11ec-8532-0d24c37c72c8
Discovery 2021-11-01
Entry 2021-11-13

Mark Sapiro reports:

A potential XSS attack via the user options page has been reported by Harsh Jaiswal. This is fixed. CVE-2021-43331 (LP: #1949401).

A potential for for a list moderator to carry out an off-line brute force attack to obtain the list admin password has been reported by Andre Protas, Richard Cloke and Andy Nuttall of Apple. This is fixed. CVE-2021-43332 (LP: #1949403)

References

CVE Name CVE-2021-43331
CVE Name CVE-2021-43332
URL https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/1879/NEWS#L8
URL https://bugs.launchpad.net/mailman/+bug/1949401
URL https://bugs.launchpad.net/mailman/+bug/1949403