-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I plan to release a Mailman 2.1.14 candidate release towards the end of next week (Sept 9 or 10). This release will have enhanced XSS defenses addressing two recently discovered vulnerabilities. Since release of the code will potentially expose the vulnerabilities, I plan to publish a patch against the 2.1.13 base with the fix before actually releasing the 2.1.14 candidate.
I will post the patch to the same 4 lists that this post is being sent to in the early afternoon, GMT, on September 9.
The vulnerabilities are obscure and can only be exploited by a list owner, but if you are concerned about them you can plan to install the patch.
The patch is small (34 line diff), only affects two modules and doesn't require a Mailman restart to be effective, although I would recommend a restart as soon as convenient after applying the patch.
Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 9/4/2010 5:59 PM, Mark Sapiro wrote:
I plan to release a Mailman 2.1.14 candidate release towards the end of next week (Sept 9 or 10). This release will have enhanced XSS defenses addressing two recently discovered vulnerabilities. Since release of the code will potentially expose the vulnerabilities, I plan to publish a patch against the 2.1.13 base with the fix before actually releasing the 2.1.14 candidate.
I will post the patch to the same 4 lists that this post is being sent to in the early afternoon, GMT, on September 9.
The vulnerabilities are obscure and can only be exploited by a list owner, but if you are concerned about them you can plan to install the patch.
The patch is attached. Since it only affects the web CGIs, it can be applied and will be effective without restarting Mailman, although since it includes a patch to Utils.py which is imported by the qrunners, a restart of Mailman is advisable as soon as convenient after applying the patch.
Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Sep 09, 2010, at 06:46 AM, Mark Sapiro wrote:
The patch is attached. Since it only affects the web CGIs, it can be applied and will be effective without restarting Mailman, although since it includes a patch to Utils.py which is imported by the qrunners, a restart of Mailman is advisable as soon as convenient after applying the patch.
Thanks Mark! -Barry
Mark,
I just wanted to send a Thank You for the way this security patch was handled. The heads-up email was perfect and very much appreciated.
Thank you also, to yourself, Barry, and ALL the Mailman Developers, for the high quality of work that goes into Mailman.
-Jim P.
On Thu, Sep 9, 2010 at 10:41, Barry Warsaw barry@list.org wrote:
On Sep 09, 2010, at 06:46 AM, Mark Sapiro wrote:
The patch is attached. Since it only affects the web CGIs, it can be applied and will be effective without restarting Mailman, although since it includes a patch to Utils.py which is imported by the qrunners, a restart of Mailman is advisable as soon as convenient after applying the patch.
Thanks Mark! -Barry
Mailman-announce mailing list Mailman-announce@python.org http://mail.python.org/mailman/listinfo/mailman-announce Member address: jimpop@gmail.com Unsubscribe: http://mail.python.org/mailman/options/mailman-announce/jimpop%40gmail.com
-
Barry Warsaw -
Jim Popovitch -
Mark Sapiro