A couple of vulnerabilities have recently been reported. Thanks to Andre
Protas, Richard Cloke and Andy Nuttall of Apple for reporting these and
helping with the development of a fix.
CVE-2021-42096 could allow a list member to discover the list admin
password.
CVE-2021-42097 could allow a list member to create a successful CSRF
attack against another list member enabling takeover of the members account.
These attacks can't be carried out by non-members so may not be of
concern for …
[View More]sites with only trusted list members.
In any case, I am planning to make a 2.1.35 release and to post a patch
for those who don't want to upgrade to address these issues. This is
scheduled for Tuesday, October 19.
--
Mark Sapiro <mark(a)msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
[View Less]
Hello Everyone,
I have just tagged and released Hyperkitty 1.3.5 and mailman-hyperkitty plugin 1.2.0 to PyPI.
This release includes some changes in the authentication between mailman-hyperkitty plugin and Hyperkitty. For that reason, it is important to upgrade both Hyperkitty and mailman-hyperkitty plugin to the latest versions, or it could result in a broken installation.
This release of Hyperkitty has bugfixes, some new features and some security enhancements. A full list of changes is …
[View More]available at:
https://docs.mailman3.org/projects/hyperkitty/en/latest/news.html#news-1-3-5
The release tarball is available at PyPI:
https://pypi.org/project/HyperKitty/#fileshttps://pypi.org/project/mailman-hyperkitty/#files
You can upgrade your installations by running:
pip install mailman-hyperkitty hyperkitty -U
After the upgrade, please make sure to run these commands:
https://docs.mailman3.org/en/latest/upgrade-3.2.html#post-upgrade
Also, make sure to restart Mailman Core after upgrading mailman-hyperkitty plugin.
Finally, many thanks to all the people who contributed to this release.
--
thanks,
Abhilash Raj (maxking)
[View Less]