Re: [Mailman-Developers] Mailman Security Patch Announcement
Sorry for the n00b moment, but am I correct to think that the way to apply the patch is to issue the command:
patch <pathTo_Mailman/cgi/confirm.py> <pathTo_confirm_xss.patch.txt>
...when logged in with appropriate permissions and where each <thingInBrackets> is replaced with the appropriate file path.
(I did check to see whether there were instructions posted on the web page. Maybe you included them on a different list.)
Thanks, Dave
David Brown dave@aasv.org ; webmaster@aasv.org
-----Original Message----- From: mailman-developers-bounces+dave=aasv.org@python.org [mailto:mailman-developers-bounces+dave=aasv.org@python.org] On Behalf Of Mark Sapiro Sent: Friday, February 18, 2011 11:02 AM To: Mailman Announce; Mailman i18n; Mailman Users; Mailman Developers Subject: Re: [Mailman-Developers] Mailman Security Patch Announcement
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2/13/2011 1:58 PM, Mark Sapiro wrote:
An XXS vulnerability affecting Mailman 2.1.14 and prior versions has recently been discovered. A patch has been developed to address this issue. The patch is small, affects only one module and can be applied to a live installation without requiring a restart.
In order to accommodate those who need some notice before applying such a patch, the patch will be posted on Friday, 18 February at about 16:00 GMT to the same four lists to which this announcement is addressed.
The vulnerability has been assigned CVE-2011-0707.
The patch is attached as confirm_xss.patch.txt.
Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32)
iD8DBQFNXpf1VVuXXpU7hpMRAs1nAJ97r3VEu5b5jl4JhdNv3r6x+ElqjQCghU+w Gp0hqWatECAYyAIL7IH9dGk= =8U6M -----END PGP SIGNATURE-----
David Brown wrote:
Sorry for the n00b moment, but am I correct to think that the way to apply the patch is to issue the command:
patch <pathTo_Mailman/cgi/confirm.py> <pathTo_confirm_xss.patch.txt>
...when logged in with appropriate permissions and where each <thingInBrackets> is replaced with the appropriate file path.
That will work in this case because the patch changes only the one file. In general, the preferred method is
cd $prefix patch -p0 < path_to_patch_file
where $prefix is the directory that contains the Mailman/ directory. In a default source install, this is /usr/local/mailman/ - YMMV.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Fri, 18 Feb 2011, Mark Sapiro wrote:
David Brown wrote:
Sorry for the n00b moment, but am I correct to think that the way to apply the patch is to issue the command: patch <pathTo_Mailman/cgi/confirm.py> <pathTo_confirm_xss.patch.txt> ...when logged in with appropriate permissions and where each <thingInBrackets> is replaced with the appropriate file path. [...]
will there soon be an actual release of MailMan that includes the fix ?
| Mathieu Bouchard ---- tél: +1.514.383.3801 ---- Villeray, Montréal, QC
"Mathieu Bouchard" <matju@artengine.ca> wrote:
will there soon be an actual release of MailMan that includes the fix ?
The fix has been committed to the Bazaar branch at lp:mailman/2.1 and will be in the 2.1.15 release. There is no scheduled date yet.
-- Mark Sapiro - mark@msapiro.net
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
participants (3)
-
David Brown -
Mark Sapiro -
Mathieu Bouchard