mail/mailman: security update to 2.1.37
- A potential XSS attack via the user options page has been reported by Harsh Jaiswal. This is fixed. CVE-2021-43331 (LP: #1949401)
LP: A crafted URL to the user options page can execute arbitrary
javascript.
- A potential for for a list moderator to carry out an off-line brute force attack to obtain the list admin password has been reported by Andre Protas, Richard Cloke and Andy Nuttall of Apple. This is fixed. CVE-2021-43332 (LP: #1949403)
LP: The CSRF token for the admindb page contains an encrypted version of
the list admin password which could potentially be cracked by a moderator via an off-line brute force attack.
ChangeLog:
https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/1879/NEWS#L2
MFH: 2021Q4
Security: 9d7a2b54-4468-11ec-8532-0d24c37c72c8
Security: CVE-2021-43331
Security: CVE-2021-43332
(cherry picked from commit f05ee16987d1bf5d7002e939614f853d99286fe7)