CVE-2021-42096: 
Alma Linux vulnerability analysis and mitigation

CVE-2021-42096 affects GNU Mailman versions before 2.1.35, discovered in October 2021. This vulnerability is related to the CSRF (Cross-site Request Forgery) token implementation in the mailing list management system, where the token is derived from the admin password and exposed to unprivileged list members (Python Announce, NVD).

The vulnerability stems from the implementation where the CSRF token generated for the options page is derived from the hashed list admin password. This design flaw exposes sensitive information to unprivileged members of a list, as the token contains information derived from the admin password hash (Red Hat CVE).

The vulnerability could potentially allow a list member to discover the list administrator's password through offline brute-force attacks. However, this attack can only be carried out by list members and may not be of significant concern for sites with only trusted list members (Python Announce).

The vulnerability was fixed in GNU Mailman version 2.1.35. System administrators are advised to upgrade to this version or apply the available security patch. For those who don't want to upgrade, a patch was made available at the Launchpad bug tracker (Python Announce).