Ukukhutshwa okuchanekileyo kwe-GNU Mailman 2.1.35 inkqubo yolawulo lokuthumela ishicilelwe, isetyenziselwa ukuququzelela unxibelelwano phakathi kwabaphuhlisi kwiiprojekthi ezahlukeneyo ezivulelekileyo. Uhlaziyo lulungisa izinto ezimbini ezibuthathaka: Ubuthathaka bokuqala (CVE-2021-42096) ivumela nawuphi na umsebenzisi obhalisele kuluhlu lokuposa ukuba amisele igama lokugqitha lomlawuli kolo luhlu lokuposa. Ukuba sesichengeni kwesibini (CVE-2021-42097) kwenza kube lula ukwenza uhlaselo lweCSRF komnye umsebenzisi woluhlu lokuposa ukuba athathe iakhawunti yakhe. Uhlaselo lunokwenziwa kuphela lilungu elibhalisiweyo loluhlu lokuposa. Umeyile 3 akachaphazeleki kulo mba.
Zombini iingxaki zibangelwa kukuba ixabiso le-csrf_token elisetyenziselwa ukukhusela kuhlaselo lwe-CSRF kwiphepha lokukhetha lihlala lifana nethokheni yomlawuli, kwaye ayiveliswanga ngokwahlukeneyo kumsebenzisi weseshoni yangoku. Xa uvelisa i-csrf_token, ulwazi malunga ne-hash ye-password yomlawuli isetyenzisiwe, eyenza lula ukumiselwa kwegama lokugqitha ngamandla akhohlakeleyo. Ekubeni i-csrf_token eyenzelwe umsebenzisi omnye ifanelekile komnye umsebenzisi, umhlaseli unokudala iphepha elithi, xa livulwe ngomnye umsebenzisi, linokubangela ukuba imiyalelo iqhutywe kwi-interface ye-Mailman egameni lalo msebenzisi kwaye ifumane ulawulo lweakhawunti yakhe.
umthombo: opennet.ru