-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 2/13/2011 1:58 PM, Mark Sapiro wrote:
> An XXS vulnerability affecting Mailman 2.1.14 and prior versions has
> recently been discovered. A patch has been developed to address this
> issue. The patch is small, affects only one module and can be applied to
> a live installation without requiring a restart.
>
> In order to accommodate those who need some notice before applying such
> a patch, the patch will be posted on Friday, 18 February at about 16:00
> GMT to the same four lists to which this announcement is addressed.
The vulnerability has been assigned CVE-2011-0707.
The patch is attached as confirm_xss.patch.txt.
- --
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFNXpf1VVuXXpU7hpMRAs1nAJ97r3VEu5b5jl4JhdNv3r6x+ElqjQCghU+w
Gp0hqWatECAYyAIL7IH9dGk=
=8U6M
-END PGP SIGNATURE-
=== modified file 'Mailman/Cgi/confirm.py'
--- Mailman/Cgi/confirm.py 2010-03-29 20:48:11 +
+++ Mailman/Cgi/confirm.py 2011-02-12 02:24:47 +
@@ -471,7 +471,7 @@
if fullname is None:
fullname = _('Not available')
else:
-fullname = Utils.uncanonstr(fullname, lang)
+fullname = Utils.websafe(Utils.uncanonstr(fullname, lang))
table.AddRow([_("""Your confirmation is required in order to complete the
unsubscription request from the mailing list %(listname)s. You
are currently subscribed with
@@ -573,7 +573,7 @@
if fullname is None:
fullname = _('Not available')
else:
-fullname = Utils.uncanonstr(fullname, lang)
+fullname = Utils.websafe(Utils.uncanonstr(fullname, lang))
if globally:
globallys = _('globally')
else:
@@ -814,7 +814,7 @@
if username is None:
username = _('not available')
else:
-username = Utils.uncanonstr(username, lang)
+username = Utils.websafe(Utils.uncanonstr(username, lang))
table.AddRow([_("""Your membership in the %(realname)s mailing list is
currently disabled due to excessive bounces. Your confirmation is
--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org