[Mailman-Users] Mailman 2.1 security release

Mark Sapiro Mon, 11 Oct 2021 15:33:17 -0700

A couple of vulnerabilities have recently been reported. Thanks to Andre Protas, Richard Cloke and Andy Nuttall of Apple for reporting these and helping with the development of a fix.

CVE-2021-42096 could allow a list member to discover the list admin password.

CVE-2021-42097 could allow a list member to create a successful CSRF attack against another list member enabling takeover of the members account.

These attacks can't be carried out by non-members so may not be of concern for sites with only trusted list members.

In any case, I am planning to make a 2.1.35 release and to post a patch for those who don't want to upgrade to address these issues. This is scheduled for Tuesday, October 19.


--
Mark Sapiro <m...@msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

OpenPGP_signature
Description: OpenPGP digital signature

------------------------------------------------------
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
    https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Mailman 2.1 security release

Reply via email to