Sorry for the n00b moment, but am I correct to think that the way to apply the patch is to issue the command:

patch <pathTo_Mailman/cgi/confirm.py> <pathTo_confirm_xss.patch.txt>

...when logged in with appropriate permissions and where each <thingInBrackets> is replaced with the appropriate file path.

(I did check to see whether there were instructions posted on the web page. Maybe you included them on a different list.)

Thanks, Dave -- David Brown dave@aasv.org ; webmaster@aasv.org

-----Original Message----- From: mailman-developers-bounces+dave=aasv.org@python.org [mailto:mailman-developers-bounces+dave=aasv.org@python.org] On Behalf Of Mark Sapiro Sent: Friday, February 18, 2011 11:02 AM To: Mailman Announce; Mailman i18n; Mailman Users; Mailman Developers Subject: Re: [Mailman-Developers] Mailman Security Patch Announcement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 2/13/2011 1:58 PM, Mark Sapiro wrote:

An XXS vulnerability affecting Mailman 2.1.14 and prior versions has recently been discovered. A patch has been developed to address this issue. The patch is small, affects only one module and can be applied to a live installation without requiring a restart.

In order to accommodate those who need some notice before applying such a patch, the patch will be posted on Friday, 18 February at about 16:00 GMT to the same four lists to which this announcement is addressed.

The vulnerability has been assigned CVE-2011-0707.

The patch is attached as confirm_xss.patch.txt.

Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan