CVE-2021-42096 could allow a list member to discover the list admin password.
CVE-2021-42097 could allow a list member to create a successful CSRF attack against another list member enabling takeover of the members account.
These attacks can't be carried out by non-members so may not be of concern for sites with only trusted list members.
In any case, I am planning to make a 2.1.35 release and to post a patch for those who don't want to upgrade to address these issues. This is scheduled for Tuesday, October 19.
-- Mark Sapiro <[email protected]> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
OpenPGP_signature
Description: OpenPGP digital signature
------------------------------------------------------ Mailman-Users mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/[email protected]/ https://mail.python.org/archives/list/[email protected]/
