
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 9/4/2010 5:59 PM, Mark Sapiro wrote:
I plan to release a Mailman 2.1.14 candidate release towards the end of next week (Sept 9 or 10). This release will have enhanced XSS defenses addressing two recently discovered vulnerabilities. Since release of the code will potentially expose the vulnerabilities, I plan to publish a patch against the 2.1.13 base with the fix before actually releasing the 2.1.14 candidate.
I will post the patch to the same 4 lists that this post is being sent to in the early afternoon, GMT, on September 9.
The vulnerabilities are obscure and can only be exploited by a list owner, but if you are concerned about them you can plan to install the patch.
The patch is attached. Since it only affects the web CGIs, it can be applied and will be effective without restarting Mailman, although since it includes a patch to Utils.py which is imported by the qrunners, a restart of Mailman is advisable as soon as convenient after applying the patch.
Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32)
iD8DBQFMiOUnVVuXXpU7hpMRAkWlAJoCqVN2gSlNummYeDfq+BHcVfSKhACg5qrJ 7Idyd0aET0xWy11P6njxT3w= =9uxx -----END PGP SIGNATURE-----