-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I plan to release a Mailman 2.1.14 candidate release towards the end of next week (Sept 9 or 10). This release will have enhanced XSS defenses addressing two recently discovered vulnerabilities. Since release of the code will potentially expose the vulnerabilities, I plan to publish a patch against the 2.1.13 base with the fix before actually releasing the 2.1.14 candidate.
I will post the patch to the same 4 lists that this post is being sent to in the early afternoon, GMT, on September 9.
The vulnerabilities are obscure and can only be exploited by a list owner, but if you are concerned about them you can plan to install the patch.
The patch is small (34 line diff), only affects two modules and doesn't require a Mailman restart to be effective, although I would recommend a restart as soon as convenient after applying the patch.
Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 9/4/2010 5:59 PM, Mark Sapiro wrote:
I plan to release a Mailman 2.1.14 candidate release towards the end of next week (Sept 9 or 10). This release will have enhanced XSS defenses addressing two recently discovered vulnerabilities. Since release of the code will potentially expose the vulnerabilities, I plan to publish a patch against the 2.1.13 base with the fix before actually releasing the 2.1.14 candidate.
I will post the patch to the same 4 lists that this post is being sent to in the early afternoon, GMT, on September 9.
The vulnerabilities are obscure and can only be exploited by a list owner, but if you are concerned about them you can plan to install the patch.
The patch is attached. Since it only affects the web CGIs, it can be applied and will be effective without restarting Mailman, although since it includes a patch to Utils.py which is imported by the qrunners, a restart of Mailman is advisable as soon as convenient after applying the patch.
Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Sep 09, 2010, at 06:46 AM, Mark Sapiro wrote:
The patch is attached. Since it only affects the web CGIs, it can be applied and will be effective without restarting Mailman, although since it includes a patch to Utils.py which is imported by the qrunners, a restart of Mailman is advisable as soon as convenient after applying the patch.
Thanks Mark! -Barry
participants (2)
-
Barry Warsaw -
Mark Sapiro