-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I plan to release a Mailman 2.1.14 candidate release towards the end of next week (Sept 9 or 10). This release will have enhanced XSS defenses addressing two recently discovered vulnerabilities. Since release of the code will potentially expose the vulnerabilities, I plan to publish a patch against the 2.1.13 base with the fix before actually releasing the 2.1.14 candidate.
I will post the patch to the same 4 lists that this post is being sent to in the early afternoon, GMT, on September 9.
The vulnerabilities are obscure and can only be exploited by a list owner, but if you are concerned about them you can plan to install the patch.
The patch is small (34 line diff), only affects two modules and doesn't require a Mailman restart to be effective, although I would recommend a restart as soon as convenient after applying the patch.
Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32)
iD8DBQFMgutpVVuXXpU7hpMRAsX1AJ48C0RxSpV7r9lg3J0V7OTs44ISqgCgn1wX LZ5RkuGLo0r04eDNYOBDYpo= =gscN -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 9/4/2010 5:59 PM, Mark Sapiro wrote:
I plan to release a Mailman 2.1.14 candidate release towards the end of next week (Sept 9 or 10). This release will have enhanced XSS defenses addressing two recently discovered vulnerabilities. Since release of the code will potentially expose the vulnerabilities, I plan to publish a patch against the 2.1.13 base with the fix before actually releasing the 2.1.14 candidate.
I will post the patch to the same 4 lists that this post is being sent to in the early afternoon, GMT, on September 9.
The vulnerabilities are obscure and can only be exploited by a list owner, but if you are concerned about them you can plan to install the patch.
The patch is attached. Since it only affects the web CGIs, it can be applied and will be effective without restarting Mailman, although since it includes a patch to Utils.py which is imported by the qrunners, a restart of Mailman is advisable as soon as convenient after applying the patch.
Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32)
iD8DBQFMiOUnVVuXXpU7hpMRAkWlAJoCqVN2gSlNummYeDfq+BHcVfSKhACg5qrJ 7Idyd0aET0xWy11P6njxT3w= =9uxx -----END PGP SIGNATURE-----
On Sep 09, 2010, at 06:46 AM, Mark Sapiro wrote:
The patch is attached. Since it only affects the web CGIs, it can be applied and will be effective without restarting Mailman, although since it includes a patch to Utils.py which is imported by the qrunners, a restart of Mailman is advisable as soon as convenient after applying the patch.
Thanks Mark! -Barry
Mark,
I just wanted to send a Thank You for the way this security patch was handled. The heads-up email was perfect and very much appreciated.
Thank you also, to yourself, Barry, and ALL the Mailman Developers, for the high quality of work that goes into Mailman.
-Jim P.
On Thu, Sep 9, 2010 at 10:41, Barry Warsaw <barry@list.org> wrote:
On Sep 09, 2010, at 06:46 AM, Mark Sapiro wrote:
The patch is attached. Since it only affects the web CGIs, it can be applied and will be effective without restarting Mailman, although since it includes a patch to Utils.py which is imported by the qrunners, a restart of Mailman is advisable as soon as convenient after applying the patch.
Thanks Mark! -Barry
Mailman-announce mailing list Mailman-announce@python.org http://mail.python.org/mailman/listinfo/mailman-announce Member address: jimpop@gmail.com Unsubscribe: http://mail.python.org/mailman/options/mailman-announce/jimpop%40gmail.com
participants (3)
-
Barry Warsaw -
Jim Popovitch -
Mark Sapiro