Bug 997205 (CVE-2016-7123) - VUL-0: CVE-2016-7123: mailman: Cross-site request forgery (CSRF) vulnerability in the admin web interface in GNU Mailman
Summary: VUL-0: CVE-2016-7123: mailman: Cross-site request forgery (CSRF) vulnerabilit...
Status: RESOLVED WONTFIX
Alias: CVE-2016-7123
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/172353/
Whiteboard: CVSSv3:SUSE:CVE-2016-7123:8.8:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-05 06:05 UTC by Victor Pereira
Modified: 2022-04-11 11:35 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2016-09-05 06:05:11 UTC 
CVE-2016-7123

Cross-site request forgery (CSRF) vulnerability in the admin web interface in GNU Mailman before 2.1.15 allows remote attackers to hijack the authentication of administrators.


References:
https://bugs.launchpad.net/mailman/+bug/1614841 (patch included)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7123
http://www.cvedetails.com/cve/CVE-2016-7123/
Comment 2 Swamp Workflow Management 2016-09-05 22:00:12 UTC 
bugbot adjusting priority
Comment 5 Johannes Segitz 2018-05-30 12:17:04 UTC 
setting to current maintainer
Comment 10 Swamp Workflow Management 2018-07-04 11:30:12 UTC 
This is an autogenerated message for OBS integration:
This bug (997205) was mentioned in
https://build.opensuse.org/request/show/620600 Factory / mailman
Comment 15 Swamp Workflow Management 2019-05-31 10:16:14 UTC 
SUSE-SU-2019:14068-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1102416,997205
CVE References: CVE-2016-6893
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    mailman-2.1.15-9.6.12.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    mailman-2.1.15-9.6.12.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    mailman-2.1.15-9.6.12.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    mailman-2.1.15-9.6.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Alexandros Toptsoglou 2019-11-18 14:46:17 UTC 
Hi Matej, 

according to our tracking the fix for this bug is still missing for SLE12. Could you please provide a status of it? 

Thanks
Comment 17 Matej Cepl 2019-11-21 10:51:34 UTC 
What’s wrong with https://build.suse.de/request/show/169140 ?
Comment 19 Robert Frohl 2020-04-28 10:54:19 UTC 
(In reply to Matej Cepl from comment #17)
> What’s wrong with https://build.suse.de/request/show/169140 ?

Neither bsc#997205 nor CVE-2016-7123 are mentioned anywhere. So for the security tracking it looks like there is no fix.

Was the fix just missing form the changes ?
Comment 20 Matej Cepl 2020-04-29 13:45:28 UTC 
I am sorry, the total eclipse of reason: for anything <= SLE-12 this bug is WONTFIXed. Adaption of the upstream patch is just too complicated.
Comment 21 Matej Cepl 2020-04-29 13:46:13 UTC 
See comment 9 for more.
Comment 22 OBSbugzilla Bot 2021-10-27 16:40:34 UTC 
This is an autogenerated message for OBS integration:
This bug (997205) was mentioned in
https://build.opensuse.org/request/show/927815 15.2 / mailman
Comment 23 Alexander Bergmann 2022-04-11 11:35:14 UTC 
As the backport of this issue to SLE-11 is not feasible without a high chance of introducing new issues, we decided to set this bug to WONTFIX.

Best practice would be to migrate to a newer version of mailman on a newer distribution.