On 08/27/2016 07:03 AM, Jim Popovitch wrote:
> I'm not seeing the CVE-2016-6893 fix in bazzar at
> https://code.launchpad.net/~mailman-coders/mailman/2.1, shouldn't it
> be there now too?
It's there now. Thanks for the reminder.
--
Mark Sapiro <mark(a)msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
There is a CSRF vulnerability associated with the user options page.
This could conceivably allow an attacker to obtain a user's password.
This is reported at <https://bugs.launchpad.net/mailman/+bug/1614841>.
I have developed a fix which is a small patch to two modules. I plan to
release Mailman 2.1.23 with this and other fixes on Saturday, Aug 27 and
also to post at the same time the patch which can be applied stand-alone.
Neither the bug report nor the fix reveals much detail about the attack,
but to allay any concern, I'm delaying the release for a week to allow
people to plan for installation of at least the patch at the time of
release.
--
Mark Sapiro <mark(a)msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan