Imminent release of a Mailman security fix.
There is a CSRF vulnerability associated with the user options page. This could conceivably allow an attacker to obtain a user's password.
This is reported at <https://bugs.launchpad.net/mailman/+bug/1614841>.
I have developed a fix which is a small patch to two modules. I plan to release Mailman 2.1.23 with this and other fixes on Saturday, Aug 27 and also to post at the same time the patch which can be applied stand-alone.
Neither the bug report nor the fix reveals much detail about the attack, but to allay any concern, I'm delaying the release for a week to allow people to plan for installation of at least the patch at the time of release.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mark Sapiro:
There is a CSRF vulnerability ... I have developed a fix... I'm delaying the release ...
Hello,
don't understand why you wait? Yes some people may need time to plan a update.
But there are also people not needing such plan. They could use the
patch just now.
But maybe you have your reason to do it in that way. Anyway: thanks for mailman :-)
Andreas
On 8/22/16 5:31 AM, A. Schulze wrote:
Mark Sapiro:
There is a CSRF vulnerability ... I have developed a fix... I'm delaying the release ...
Hello,
don't understand why you wait? Yes some people may need time to plan a update. But there are also people not needing such plan. They could use the patch just now.
But maybe you have your reason to do it in that way. Anyway: thanks for mailman :-)
Andreas
The normal procedure for security updates in the software industry is an advanced announcement so people can plan, and then a release at a specified time point, so people can plan to update right then if possible.
The issue is that the security flaw is normally not generally not know, and releasing the patch sometimes gives enough information to allow someone to figure out the security flaw and to exploit it in a short while, so you want people to be able to rapidly apply the update before that happens.
-- Richard Damon
participants (3)
-
A. Schulze -
Mark Sapiro -
Richard Damon