I plan to release a Mailman 2.1.14 candidate release towards the end of
next week (Sept 9 or 10). This release will have enhanced XSS defenses
addressing two recently discovered vulnerabilities. Since release of the
code will potentially expose the vulnerabilities, I plan to publish a
patch against the 2.1.13 base with the fix before actually releasing the
2.1.14 candidate.

I will post the patch to the same 4 lists that this post is being sent
to in the early afternoon, GMT, on September 9.

The vulnerabilities are obscure and can only be exploited by a list
owner, but if you are concerned about them you can plan to install the
patch.

The patch is small (34 line diff), only affects two modules and doesn't
require a Mailman restart to be effective, although I would recommend a
restart as soon as convenient after applying the patch.

- --
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan

Search Discussions

  • Mark Sapiro at Sep 9, 2010 at 1:46 pm

    On 9/4/2010 5:59 PM, Mark Sapiro wrote:
    I plan to release a Mailman 2.1.14 candidate release towards the end of
    next week (Sept 9 or 10). This release will have enhanced XSS defenses
    addressing two recently discovered vulnerabilities. Since release of the
    code will potentially expose the vulnerabilities, I plan to publish a
    patch against the 2.1.13 base with the fix before actually releasing the
    2.1.14 candidate.

    I will post the patch to the same 4 lists that this post is being sent
    to in the early afternoon, GMT, on September 9.

    The vulnerabilities are obscure and can only be exploited by a list
    owner, but if you are concerned about them you can plan to install the
    patch.

    The patch is attached. Since it only affects the web CGIs, it can be
    applied and will be effective without restarting Mailman, although since
    it includes a patch to Utils.py which is imported by the qrunners, a
    restart of Mailman is advisable as soon as convenient after applying the
    patch.

    - --
    Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan

    -------------- next part --------------
    An embedded and charset-unspecified text was scrubbed...
    Name: xss.patch.txt
    URL: <http://mail.python.org/pipermail/mailman-users/attachments/20100909/c9d893e6/attachment.txt>
  • Barry Warsaw at Sep 9, 2010 at 2:41 pm

    On Sep 09, 2010, at 06:46 AM, Mark Sapiro wrote:
    The patch is attached. Since it only affects the web CGIs, it can be
    applied and will be effective without restarting Mailman, although
    since it includes a patch to Utils.py which is imported by the
    qrunners, a restart of Mailman is advisable as soon as convenient
    after applying the patch.
    Thanks Mark!
    -Barry
    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: signature.asc
    Type: application/pgp-signature
    Size: 836 bytes
    Desc: not available
    URL: <http://mail.python.org/pipermail/mailman-users/attachments/20100909/91eb8be3/attachment.pgp>

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupmailman-users @
categoriespython
postedSep 5, '10 at 12:59a
activeSep 9, '10 at 2:41p
posts3
users2
websitelist.org

2 users in discussion

Mark Sapiro: 2 posts Barry Warsaw: 1 post

People

Translate

site design / logo © 2022 Grokbase