Mailman 2.1 security release
A couple of vulnerabilities have recently been reported. Thanks to Andre Protas, Richard Cloke and Andy Nuttall of Apple for reporting these and helping with the development of a fix.
CVE-2021-42096 could allow a list member to discover the list admin password.
CVE-2021-42097 could allow a list member to create a successful CSRF attack against another list member enabling takeover of the members account.
These attacks can't be carried out by non-members so may not be of concern for sites with only trusted list members.
In any case, I am planning to make a 2.1.35 release and to post a patch for those who don't want to upgrade to address these issues. This is scheduled for Tuesday, October 19.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
I am pleased to announce the release of Mailman 2.1.35.
This is a security and minor bug fix release. See the attached README.txt for details. For those who just want a patch for the security issues, see <https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1873>. The patch is also attached to the bug reports at <https://bugs.launchpad.net/mailman/+bug/1947639> and <https://bugs.launchpad.net/mailman/+bug/1947640>. The patch is the same on both and fixes both issues.
As noted Mailman 2.1.30 was the last feature release of the Mailman 2.1 branch from the GNU Mailman project. There has been some discussion as to what this means. It means there will be no more releases from the GNU Mailman project containing any new features. There may be future patch releases to address the following:
i18n updates.
security issues.
bugs affecting operation for which no satisfactory workaround exists.
Mailman 2.1.35 is the fifth such patch release.
Mailman is free software for managing email mailing lists and e-newsletters. Mailman is used for all the python.org and SourceForge.net mailing lists, as well as at hundreds of other sites.
For more information, please see our web site at one of:
http://www.list.org https://www.gnu.org/software/mailman http://mailman.sourceforge.net/
Mailman 2.1.35 can be downloaded from
https://launchpad.net/mailman/2.1/ https://ftp.gnu.org/gnu/mailman/ https://sourceforge.net/projects/mailman/
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 10/19/21 6:28 PM, Mark Sapiro wrote:
Mailman 2.1.35 can be downloaded from
https://launchpad.net/mailman/2.1/ https://ftp.gnu.org/gnu/mailman/ https://sourceforge.net/projects/mailman/
There is an issue with my upload to gnu.org. Mailman 2.1.35 is not there yet. I am trying to resolve this with gnu.org. In the mean time the Launchpad and Sourceforge have the release.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 10/20/21 11:43 AM, Mark Sapiro wrote:
On 10/19/21 6:28 PM, Mark Sapiro wrote:
Mailman 2.1.35 can be downloaded from
https://launchpad.net/mailman/2.1/ https://ftp.gnu.org/gnu/mailman/ https://sourceforge.net/projects/mailman/
There is an issue with my upload to gnu.org. Mailman 2.1.35 is not there yet. I am trying to resolve this with gnu.org. In the mean time the Launchpad and Sourceforge have the release.
This issue has been resolved and Mailman 2.1.35 is now available at https://ftp.gnu.org/gnu/mailman/ as well as the other locations.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (1)
-
Mark Sapiro