*** This bug is a security vulnerability *** Private security bug reported: We may have to set lifetime for input forms because of recent activities on cross-site request forgery (CSRF). The form lifetime is successfully deployed in frameworks like web.py or plone etc. Proposed branch lp:~tkikuchi/mailman/form-lifetime implement lifetime in admin, admindb, options and edithtml interfaces. Other forms like create and rmlist have confirmation by password thus are safe regarding CSRF. The form generation time is set by a hidden parameter whose value is calculated following the mailman cookie algorithm. The default lifetime is set 1 hour in Default.py thus configurable by a site administrator. If a password is set in request, authorization cookie is discarded so the password authentication is forced. Wget tricks to manage list in FAQ can be used as they are now. ** Affects: mailman Importance: Undecided Status: New ** Branch linked: lp:~tkikuchi/mailman/form-lifetime -- You received this bug notification because you are a member of Mailman Coders, which is a direct subscriber. https://bugs.launchpad.net/bugs/775294 Title: Set lifetime for input forms
** Changed in: mailman Status: New => Fix Committed -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/775294 Title: Set lifetime for input forms To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/775294/+subscriptions
The lp:~tkikuchi/mailman/form-lifetime branch was only partially merged fo Mailman 2.1.15. It has now been completely merged for Mailman 2.1.23. ** Changed in: mailman Milestone: None => 2.1.15 -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/775294 Title: Set lifetime for input forms To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/775294/+subscriptions
** Changed in: mailman Status: Fix Committed => Fix Released ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/775294 Title: Set lifetime for input forms To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/775294/+subscriptions
** Changed in: mailman Milestone: 2.1.15 => 2.1.23 -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/775294 Title: Set lifetime for input forms To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/775294/+subscriptions
CVE-2016-7123 has recently been issued noting that a CSRF vulnerability exists in the admin interface in Mailman prior to 2.1.15. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-7123 -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/775294 Title: Set lifetime for input forms To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/775294/+subscriptions
participants (2)
-
Mark Sapiro
-
Tokio Kikuchi