Mailman Security Patch Announcement
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
An XXS vulnerability affecting Mailman 2.1.14 and prior versions has recently been discovered. A patch has been developed to address this issue. The patch is small, affects only one module and can be applied to a live installation without requiring a restart.
In order to accommodate those who need some notice before applying such a patch, the patch will be posted on Friday, 18 February at about 16:00 GMT to the same four lists to which this announcement is addressed.
Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32)
iD8DBQFNWFQIVVuXXpU7hpMRAixMAJ9CvXBKvSkkF6JAj9qfnPVOQBOz9QCg/ASx RKTuYnogMT0S96GqSclcXyY= =l9sU -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2/13/2011 1:58 PM, Mark Sapiro wrote:
An XXS vulnerability affecting Mailman 2.1.14 and prior versions has recently been discovered. A patch has been developed to address this issue. The patch is small, affects only one module and can be applied to a live installation without requiring a restart.
In order to accommodate those who need some notice before applying such a patch, the patch will be posted on Friday, 18 February at about 16:00 GMT to the same four lists to which this announcement is addressed.
The vulnerability has been assigned CVE-2011-0707.
The patch is attached as confirm_xss.patch.txt.
Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32)
iD8DBQFNXpf1VVuXXpU7hpMRAs1nAJ97r3VEu5b5jl4JhdNv3r6x+ElqjQCghU+w Gp0hqWatECAYyAIL7IH9dGk= =8U6M -----END PGP SIGNATURE-----
On Fri, Feb 18, 2011 at 11:01, Mark Sapiro <mark@msapiro.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2/13/2011 1:58 PM, Mark Sapiro wrote:
An XXS vulnerability affecting Mailman 2.1.14 and prior versions has recently been discovered. A patch has been developed to address this issue. The patch is small, affects only one module and can be applied to a live installation without requiring a restart.
In order to accommodate those who need some notice before applying such a patch, the patch will be posted on Friday, 18 February at about 16:00 GMT to the same four lists to which this announcement is addressed.
The vulnerability has been assigned CVE-2011-0707.
The patch is attached as confirm_xss.patch.txt.
Mark, I want to say Thank You for the advanced notification and the patch. Mailman continues to be the leading substantive communication enabler, and it is entirely due to the dedication and quality work of yourself and the Mailman developer community.
Thank you,
-Jim P.
Restricting to "developers". I wonder if hunks like
@@ -471,7 +471,7 @@ if fullname is None: fullname = _('<em>Not available</em>') else: - fullname = Utils.uncanonstr(fullname, lang) + fullname = Utils.websafe(Utils.uncanonstr(fullname, lang)) table.AddRow([_("""Your confirmation is required in order to complete the unsubscription request from the mailing list <em>%(listname)s</em>. You are currently subscribed with
wouldn't better be done in table.AddRow, etc? Specifically I have in mind some sort of device where the *default* behavior is "websafe()", and you have to mark variable text as "safe" to get "active" markup. I'm pretty sure this is not appropriate for 2.x (too invasive), but maybe it's an idea for Mailman 3.
participants (3)
-
Jim Popovitch -
Mark Sapiro -
Stephen J. Turnbull