subject:"\[Mailman\-Users\] Mailman 2.1 security release"

[Mailman-Users] Mailman 2.1 security release

2021-11-12 Thread Mark Sapiro


I am pleased to announce the release of Mailman 2.1.36.

This is a security release. It fixes 
https://bugs.launchpad.net/mailman/+bug/1949401 CVE-2021-43331 and 
https://bugs.launchpad.net/mailman/+bug/1949403 CVE-2021-43332. The 
former of these could allow an XSS attack against the user options page 
and the latter could allow a list moderator to discover the list admin 
password via a brute force attack against the admindb page CSRF token.


For those who just want a patch for the security issues, patches are 
atteched.


As noted Mailman 2.1.30 was the last feature release of the Mailman 2.1
branch from the GNU Mailman project. There has been some discussion as
to what this means. It means there will be no more releases from the GNU
Mailman project containing any new features. There may be future patch
releases to address the following:

   i18n updates.
   security issues.
   bugs affecting operation for which no satisfactory workaround exists.

Mailman 2.1.36 is the sixth such patch release.

Mailman is free software for managing email mailing lists and
e-newsletters. Mailman is used for all the python.org and
SourceForge.net mailing lists, as well as at hundreds of other sites.

For more information, please see our web site at one of:

http://www.list.org
https://www.gnu.org/software/mailman
http://mailman.sourceforge.net/

Mailman 2.1.36 can be downloaded from

https://launchpad.net/mailman/2.1/
https://ftp.gnu.org/gnu/mailman/
https://sourceforge.net/projects/mailman/

--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
=== modified file 'Mailman/Cgi/options.py'
--- old/Mailman/Cgi/options.py  2021-10-18 23:56:42 +
+++ new/Mailman/Cgi/options.py  2021-11-03 19:02:21 +
@@ -346,6 +346,8 @@
 varhelp = qs[0]
 if varhelp:
 # Sanitize the topic name.
+while '%' in varhelp:
+varhelp = urllib.unquote_plus(varhelp)
 varhelp = re.sub('<.*', '', varhelp)
 topic_details(mlist, doc, user, cpuser, userlang, varhelp)
 return
=== modified file 'Mailman/Cgi/admindb.py'
--- old/Mailman/Cgi/admindb.py  2018-06-17 23:47:34 +
+++ new/Mailman/Cgi/admindb.py  2021-11-03 19:04:49 +
@@ -59,8 +59,7 @@
 else:
 ssort = SSENDER
 
-AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin,
- mm_cfg.AuthListModerator)
+AUTH_CONTEXTS = ((mm_cfg.AuthListModerator,))
 
 
 


OpenPGP_signature
Description: OpenPGP digital signature
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Mailman 2.1 security release

2021-11-06 Thread Mark Sapiro

Two new security issues have been reported in Mailman 2.1. These have 
been given the IDs CVE-2021-43331 and CVE-2021-43332.


I plan to release 2.1.36 with full details this Friday, November 12. At 
that time the vulnerabilities will be made public and patches will also 
be made available.


--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
   https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Mailman 2.1 security release

2021-10-11 Thread Mark Sapiro

A couple of vulnerabilities have recently been reported. Thanks to Andre 
Protas, Richard Cloke and Andy Nuttall of Apple for reporting these and 
helping with the development of a fix.


CVE-2021-42096 could allow a list member to discover the list admin 
password.


CVE-2021-42097 could allow a list member to create a successful CSRF 
attack against another list member enabling takeover of the members account.


These attacks can't be carried out by non-members so may not be of 
concern for sites with only trusted list members.


In any case, I am planning to make a 2.1.35 release and to post a patch 
for those who don't want to upgrade to address these issues. This is 
scheduled for Tuesday, October 19.


--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan



OpenPGP_signature
Description: OpenPGP digital signature
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Mailman 2.1 security release

[Mailman-Users] Mailman 2.1 security release

[Mailman-Users] Mailman 2.1 security release

3 matches

Site Navigation

Mail list logo

Footer information