On 11/12/21 4:01 PM, Mark Sapiro wrote:
Mailman 2.1.36 had a serious bug. Thanks to Joel Lord for finding and reporting it.
I have just released Mailman 2.1.37 to fix that issue. It is reported at https://bugs.launchpad.net/mailman/+bug/1950833 and is fixed at https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1878
Mailman 2.1.36 should not be installed - upgrade from Mailman <= 2.1.35 directly to 2.1.37.
For those interested in just a patch, the fix for https://bugs.launchpad.net/mailman/+bug/1949403 (CVE-2021-43332) in Mailman 2.1.35 and prior is ``` === modified file 'Mailman/CSRFcheck.py' --- old/Mailman/CSRFcheck.py 2021-10-18 23:56:42 +0000 +++ new/Mailman/CSRFcheck.py 2021-11-12 23:06:09 +0000 @@ -45,7 +45,7 @@ for context in contexts: key, secret = mlist.AuthContextInfo(context, user) - if key: + if key and secret: break else: return None # not authenticated === modified file 'Mailman/Cgi/admindb.py' --- old/Mailman/Cgi/admindb.py 2018-06-17 23:47:34 +0000 +++ new/Mailman/Cgi/admindb.py 2021-11-12 23:05:56 +0000 @@ -59,8 +59,8 @@ else: ssort = SSENDER -AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin, - mm_cfg.AuthListModerator) +AUTH_CONTEXTS = (mm_cfg.AuthListModerator, mm_cfg.AuthListAdmin, + mm_cfg.AuthSiteAdmin) ``` -- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan