CVE-2021-43332

Name	CVE-2021-43332
Description	In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password. This could potentially be cracked by a moderator via an offline brute-force attack.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3049-1
Debian Bugs	1000367

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
mailman (PTS)	jessie, jessie (lts)	1:2.1.18-2+deb8u8	vulnerable
	stretch (security), stretch (lts), stretch	1:2.1.23-1+deb9u8	fixed
	buster	1:2.1.29-1+deb10u5	fixed
	buster (security), buster (lts)	1:2.1.29-1+deb10u2	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
mailman	source	stretch	1:2.1.23-1+deb9u8	DLA-3049-1
mailman	source	buster	1:2.1.29-1+deb10u3
mailman	source	(unstable)	(unfixed)		1000367

Notes

https://mail.python.org/archives/list/mailman-announce@python.org/message/I2X7PSFXIEPLM3UMKZMGOEO3UFYETGRL/
https://bugs.launchpad.net/mailman/+bug/1949403
https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1876 (2.1.36)
Regression fix: https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1878 (2.1.37)
[jessie] - mailman <no-dsa> (Minor issue)