[USN-5121-1] Mailman vulnerabilities

========================================================================== Ubuntu Security Notice USN-5121-1 October 22, 2021
mailman vulnerabilities ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 18.04 LTS – Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in Mailman.
Software Description: – mailman: Web-based mailing list manager
Details:
Andre Protas, Richard Cloke, and Andy Nuttall discovered that Mailman did not properly associate cross-site request forgery (CSRF) tokens to specific accounts. A remote attacker could use this to perform a CSRF attack to gain access to another account. (CVE-2021-42097)
Andre Protas, Richard Cloke, and Andy Nuttall discovered that Mailman’s cross-site request forgery (CSRF) tokens for the options page are derived from the admin password. A remote attacker could possibly use this to assist in performing a brute force attack against the admin password. (CVE-2021-42096)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 18.04 LTS: mailman 1:2.1.26-1ubuntu0.4
Ubuntu 16.04 ESM: mailman 1:2.1.20-1ubuntu0.6+esm1
In general, a standard system update will make all the necessary changes.
References: ubuntu.com/security/notices/USN-5121-1 CVE-2021-42096, CVE-2021-42097
Package Information: launchpad.net/ubuntu/+source/mailman/1:2.1.26-1ubuntu0.4