Debian Bug report logs - #993746
python3-django-postorius: CVE-2021-40347 New upstream to fix security bug

version graph

Package: src:postorius; Maintainer for src:postorius is Debian Mailman Team <pkg-mailman-hackers@lists.alioth.debian.org>;

Reported by: Peter Chubb <peter.chubb@unsw.edu.au>

Date: Sun, 5 Sep 2021 21:33:01 UTC

Severity: important

Tags: fixed-upstream, security, upstream

Found in versions postorius/1.2.4-1, postorius/1.3.4-2

Done: Pierre-Elliott Bécue <peb@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Mailman Team <pkg-mailman-hackers@lists.alioth.debian.org>:
Bug#993746; Package python3-django-postorius. (Sun, 05 Sep 2021 21:33:03 GMT) (full text, mbox, link).


Acknowledgement sent to Peter Chubb <peter.chubb@unsw.edu.au>:
New Bug report received and forwarded. Copy sent to Debian Mailman Team <pkg-mailman-hackers@lists.alioth.debian.org>. (Sun, 05 Sep 2021 21:33:03 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Peter Chubb <peter.chubb@unsw.edu.au>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: python3-django-postorius: CVE-2021-40347 New upstream to fix security bug
Date: Mon, 06 Sep 2021 07:28:39 +1000
Package: python3-django-postorius
Version: 1.3.4-2
Severity: important
Tags: upstream

Dear Maintainer,

There is a new upstream (and patches to this version) available, to address 
security issue CVE-2021-40347.  This vulnerability allows any logged-in-user
to unsubscribe any user from any list.

Version 1.3.5 fixes the issue; plus a patch was posted to the 
mailman3 mailing list.



-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-8-cloud-amd64 (SMP w/1 CPU thread)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages python3-django-postorius depends on:
ii  fonts-glyphicons-halflings  1.009~3.4.1+dfsg-2
ii  libjs-bootstrap4            4.5.2+dfsg1-8
ii  libjs-jquery                3.5.1+dfsg+~3.5.5-7
ii  libjs-sphinxdoc             3.5.4-2
ii  node-html5shiv              3.7.3+dfsg-3
ii  python3                     3.9.2-3
ii  python3-cmarkgfm            0.4.2-1+b3
ii  python3-django              2:2.2.24-1
ii  python3-django-mailman3     1.3.5-2
ii  python3-mailmanclient       3.3.2-1
ii  python3-readme-renderer     24.0-3
ii  sphinx-rtd-theme-common     0.5.1+dfsg-1

Versions of packages python3-django-postorius recommends:
ii  mailman3-web  0+20200530-2

python3-django-postorius suggests no packages.

-- no debconf information



Bug reassigned from package 'python3-django-postorius' to 'src:1.3.4-2'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 06 Sep 2021 12:54:02 GMT) (full text, mbox, link).


No longer marked as found in versions postorius/1.3.4-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 06 Sep 2021 12:54:02 GMT) (full text, mbox, link).


Added tag(s) fixed-upstream and security. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 06 Sep 2021 12:54:03 GMT) (full text, mbox, link).


Marked as found in versions 1.3.4-2/1.2.4-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 06 Sep 2021 12:54:03 GMT) (full text, mbox, link).


Bug reassigned from package 'src:1.3.4-2' to 'src:postorius'. Request was from Jonas Meurer <jonas@freesources.org> to control@bugs.debian.org. (Thu, 09 Sep 2021 11:48:04 GMT) (full text, mbox, link).


No longer marked as found in versions 1.3.4-2/1.2.4-1. Request was from Jonas Meurer <jonas@freesources.org> to control@bugs.debian.org. (Thu, 09 Sep 2021 11:48:04 GMT) (full text, mbox, link).


Marked as found in versions postorius/1.3.4-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 09 Sep 2021 12:00:05 GMT) (full text, mbox, link).


Marked as found in versions postorius/1.2.4-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 09 Sep 2021 12:00:07 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Mailman Team <pkg-mailman-hackers@lists.alioth.debian.org>:
Bug#993746; Package src:postorius. (Sun, 15 Oct 2023 11:45:02 GMT) (full text, mbox, link).


Acknowledgement sent to Boud Roukema <bouddebbug@cosmo.torun.pl>:
Extra info received and forwarded to list. Copy sent to Debian Mailman Team <pkg-mailman-hackers@lists.alioth.debian.org>. (Sun, 15 Oct 2023 11:45:02 GMT) (full text, mbox, link).


Message #26 received at 993746@bugs.debian.org (full text, mbox, reply):

From: Boud Roukema <bouddebbug@cosmo.torun.pl>
To: 993746@bugs.debian.org
Subject: CVE-2021-40347 seems to be fixed
Date: Sun, 15 Oct 2023 13:35:02 +0200 (CEST)
hi Maintainers,

* https://security-tracker.debian.org/tracker/CVE-2021-40347 says that this
bug (993746 -  python3-django-postorius: CVE-2021-40347 New upstream to fix security bug)
is fixed in all versions.

A quick browse is consistent with that:

* buster patch https://salsa.debian.org/mailman-team/postorius/-/blob/debian/buster-security/debian/patches/0002-PATCH-Check-a-user-owns-the-email-they-are-trying-to.patch

* bullseye patch https://salsa.debian.org/mailman-team/postorius/-/blob/debian/bullseye-security/debian/patches/0002-PATCH-Check-a-user-owns-the-email-they-are-trying-to.patch

* bookworm/trixie/sid are at version 1.3.8-3 https://tracker.debian.org/pkg/postorius

I'm new to mailman3 (finally got the upgrade from mailman2 done), but
it looks like time to close this bug.

Cheers
Boud




Reply sent to Pierre-Elliott Bécue <peb@debian.org>:
You have taken responsibility. (Mon, 08 Jan 2024 22:36:05 GMT) (full text, mbox, link).


Notification sent to Peter Chubb <peter.chubb@unsw.edu.au>:
Bug acknowledged by developer. (Mon, 08 Jan 2024 22:36:05 GMT) (full text, mbox, link).


Message #31 received at 993746-done@bugs.debian.org (full text, mbox, reply):

From: Pierre-Elliott Bécue <peb@debian.org>
To: Boud Roukema <bouddebbug@cosmo.torun.pl>, 993746-done@bugs.debian.org
Subject: Re: Bug#993746: CVE-2021-40347 seems to be fixed
Date: Mon, 08 Jan 2024 23:32:08 +0100
[Message part 1 (text/plain, inline)]
Hi,

Boud Roukema <bouddebbug@cosmo.torun.pl> wrote on 15/10/2023 at 12:35:02+0100:

> hi Maintainers,
>
> * https://security-tracker.debian.org/tracker/CVE-2021-40347 says that this
> bug (993746 -  python3-django-postorius: CVE-2021-40347 New upstream to fix security bug)
> is fixed in all versions.
>
> A quick browse is consistent with that:
>
> * buster patch https://salsa.debian.org/mailman-team/postorius/-/blob/debian/buster-security/debian/patches/0002-PATCH-Check-a-user-owns-the-email-they-are-trying-to.patch
>
> * bullseye patch https://salsa.debian.org/mailman-team/postorius/-/blob/debian/bullseye-security/debian/patches/0002-PATCH-Check-a-user-owns-the-email-they-are-trying-to.patch
>
> * bookworm/trixie/sid are at version 1.3.8-3 https://tracker.debian.org/pkg/postorius
>
> I'm new to mailman3 (finally got the upgrade from mailman2 done), but
> it looks like time to close this bug.
>
> Cheers

Yes, sorry, this bug fell through the net.

It can indeed be closed.
-- 
PEB
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 06 Feb 2024 07:27:37 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 00:47:55 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.