========================================================================== Ubuntu Security Notice USN-5121-2 November 01, 2021 mailman vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Mailman. Software Description: - mailman: Web-based mailing list manager Details: USN-5009-1 fixed vulnerabilities in Mailman. This update provides the corresponding updates for Ubuntu 20.04 LTS. In addition, the following CVEs were fixed: It was discovered that Mailman allows arbitrary content injection. An attacker could use this to inject malicious content. (CVE-2020-12108, CVE-2020-15011) It was discovered that Mailman improperly sanitize the MIME content. An attacker could obtain sensitive information by sending a special type of attachment. (CVE-2020-12137) Original advisory details: Andre Protas, Richard Cloke, and Andy Nuttall discovered that Mailman did not properly associate cross-site request forgery (CSRF) tokens to specific accounts. A remote attacker could use this to perform a CSRF attack to gain access to another account. (CVE-2021-42097) Andre Protas, Richard Cloke, and Andy Nuttall discovered that Mailman’s cross-site request forgery (CSRF) tokens for the options page are derived from the admin password. A remote attacker could possibly use this to assist in performing a brute force attack against the admin password. (CVE-2021-42096) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: mailman 1:2.1.29-1ubuntu3.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5121-2 https://ubuntu.com/security/notices/USN-5121-1 CVE-2020-12108, CVE-2020-12137, CVE-2020-15011, CVE-2021-42096, CVE-2021-42097 Package Information: https://launchpad.net/ubuntu/+source/mailman/1:2.1.29-1ubuntu3.1