Mailman-announce August 2016

mailman-announce@python.org

1 participants
3 discussions

Re: [Mailman-Announce] [Mailman-Users] Mailman 2.1.23 release and fix for CVE-2016-6893

by Mark Sapiro

On 08/27/2016 07:03 AM, Jim Popovitch wrote: > I'm not seeing the CVE-2016-6893 fix in bazzar at > https://code.launchpad.net/~mailman-coders/mailman/2.1, shouldn't it > be there now too? It's there now. Thanks for the reminder. -- Mark Sapiro <mark(a)msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

4 years, 8 months

Mailman 2.1.23 release and fix for CVE-2016-6893

by Mark Sapiro

I am pleased to announce the release of Mailman 2.1.23. Python 2.4 is the minimum supported, but Python 2.7 is strongly recommended. This release contains a fix for CVE-2016-6893 which is also attached here as a patch. It also has new features, a few i18n updates and some bug fixes. See the attached README for details. Mailman is free software for managing email mailing lists and e-newsletters. Mailman is used for all the python.org and SourceForge.net mailing lists, as well as at hundreds of other sites. For more information, please see our web site at one of: http://www.list.org http://www.gnu.org/software/mailman http://mailman.sourceforge.net/ http://mirror.list.org/ Mailman 2.1.23 can be downloaded from https://launchpad.net/mailman/2.1/ http://ftp.gnu.org/gnu/mailman/ https://sourceforge.net/projects/mailman/ -- Mark Sapiro <mark(a)msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

4 years, 8 months

Imminent release of a Mailman security fix.

by Mark Sapiro

There is a CSRF vulnerability associated with the user options page. This could conceivably allow an attacker to obtain a user's password. This is reported at <https://bugs.launchpad.net/mailman/+bug/1614841>. I have developed a fix which is a small patch to two modules. I plan to release Mailman 2.1.23 with this and other fixes on Saturday, Aug 27 and also to post at the same time the patch which can be applied stand-alone. Neither the bug report nor the fix reveals much detail about the attack, but to allay any concern, I'm delaying the release for a week to allow people to plan for installation of at least the patch at the time of release. -- Mark Sapiro <mark(a)msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

4 years, 8 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

Mailman-announce August 2016