On 01/08/2018 09:43 PM, Lindsay Haisley wrote: > I just installed a new list on MM 2.1.18-1 and one of the sharper folks > on a related FB group noted that there is, or had been a CSRF > vulnerability on some versions of MM2. A little research turned up > <https://bugs.launchpad.net/mailman/+bug/775294> in which Mark states > that this has been fixed since 2.1.15. For the record, could someone > confirm this?
It should have been fixed in 2.1.15, but for some reason, only part of the fix was merged and released with 2.1.15. The vulnerability in the web admin interface was fixed in 2.1.15, but the admindb, edithtml and options interfaces were still vulnerable. These were not fixed until 2.1.23. See <https://bugs.launchpad.net/mailman/+bug/1614841>. The comment thread contains a link to a patch to fix versions >= 2.1.15 and <= 2.1.22, however the version "2.1.18-1" indicates this is some distro's package and the patch may have already been backported. -- Mark Sapiro <m...@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
