Mailman 2.1 security release
I am pleased to announce the release of Mailman 2.1.36.
This is a security release. It fixes https://bugs.launchpad.net/mailman/+bug/1949401 CVE-2021-43331 and https://bugs.launchpad.net/mailman/+bug/1949403 CVE-2021-43332. The former of these could allow an XSS attack against the user options page and the latter could allow a list moderator to discover the list admin password via a brute force attack against the admindb page CSRF token.
For those who just want a patch for the security issues, patches are atteched.
As noted Mailman 2.1.30 was the last feature release of the Mailman 2.1 branch from the GNU Mailman project. There has been some discussion as to what this means. It means there will be no more releases from the GNU Mailman project containing any new features. There may be future patch releases to address the following:
i18n updates.
security issues.
bugs affecting operation for which no satisfactory workaround exists.Mailman 2.1.36 is the sixth such patch release.
Mailman is free software for managing email mailing lists and e-newsletters. Mailman is used for all the python.org and SourceForge.net mailing lists, as well as at hundreds of other sites.
For more information, please see our web site at one of:
http://www.list.org https://www.gnu.org/software/mailman http://mailman.sourceforge.net/
Mailman 2.1.36 can be downloaded from
https://launchpad.net/mailman/2.1/ https://ftp.gnu.org/gnu/mailman/ https://sourceforge.net/projects/mailman/
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mailman 2.1.36 had a serious bug. Thanks to Joel Lord for finding and reporting it.
I have just released Mailman 2.1.37 to fix that issue. It is reported at https://bugs.launchpad.net/mailman/+bug/1950833 and is fixed at https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1878
Mailman 2.1.36 should not be installed - upgrade from Mailman <= 2.1.35 directly to 2.1.37.
As noted Mailman 2.1.30 was the last feature release of the Mailman 2.1 branch from the GNU Mailman project. There has been some discussion as to what this means. It means there will be no more releases from the GNU Mailman project containing any new features. There may be future patch releases to address the following:
i18n updates.
security issues.
bugs affecting operation for which no satisfactory workaround exists.Mailman 2.1.37 is the seventh such patch release.
Mailman is free software for managing email mailing lists and e-newsletters. Mailman is used for all the python.org and SourceForge.net mailing lists, as well as at hundreds of other sites.
For more information, please see our web site at one of:
http://www.list.org https://www.gnu.org/software/mailman http://mailman.sourceforge.net/
Mailman 2.1.37 can be downloaded from
https://launchpad.net/mailman/2.1/ https://ftp.gnu.org/gnu/mailman/ https://sourceforge.net/projects/mailman/
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 11/12/21 4:01 PM, Mark Sapiro wrote:
Mailman 2.1.36 had a serious bug. Thanks to Joel Lord for finding and reporting it.
I have just released Mailman 2.1.37 to fix that issue. It is reported at https://bugs.launchpad.net/mailman/+bug/1950833 and is fixed at https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1878
Mailman 2.1.36 should not be installed - upgrade from Mailman <= 2.1.35 directly to 2.1.37.
For those interested in just a patch, the fix for https://bugs.launchpad.net/mailman/+bug/1949403 (CVE-2021-43332) in Mailman 2.1.35 and prior is ``` === modified file 'Mailman/CSRFcheck.py' --- old/Mailman/CSRFcheck.py 2021-10-18 23:56:42 +0000 +++ new/Mailman/CSRFcheck.py 2021-11-12 23:06:09 +0000 @@ -45,7 +45,7 @@ for context in contexts: key, secret = mlist.AuthContextInfo(context, user) - if key: + if key and secret: break else: return None # not authenticated === modified file 'Mailman/Cgi/admindb.py' --- old/Mailman/Cgi/admindb.py 2018-06-17 23:47:34 +0000 +++ new/Mailman/Cgi/admindb.py 2021-11-12 23:05:56 +0000 @@ -59,8 +59,8 @@ else: ssort = SSENDER -AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin, - mm_cfg.AuthListModerator) +AUTH_CONTEXTS = (mm_cfg.AuthListModerator, mm_cfg.AuthListAdmin, + mm_cfg.AuthSiteAdmin) ``` -- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (1)
-
Mark Sapiro