[Mailman-Announce] Mailman security patch.

Mark Sapiro mark at msapiro.net
Sun Sep 5 02:59:21 CEST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I plan to release a Mailman 2.1.14 candidate release towards the end of
next week (Sept 9 or 10). This release will have enhanced XSS defenses
addressing two recently discovered vulnerabilities. Since release of the
code will potentially expose the vulnerabilities, I plan to publish a
patch against the 2.1.13 base with the fix before actually releasing the
2.1.14 candidate.

I will post the patch to the same 4 lists that this post is being sent
to in the early afternoon, GMT, on September 9.

The vulnerabilities are obscure and can only be exploited by a list
owner, but if you are concerned about them you can plan to install the
patch.

The patch is small (34 line diff), only affects two modules and doesn't
require a Mailman restart to be effective, although I would recommend a
restart as soon as convenient after applying the patch.

- -- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFMgutpVVuXXpU7hpMRAsX1AJ48C0RxSpV7r9lg3J0V7OTs44ISqgCgn1wX
LZ5RkuGLo0r04eDNYOBDYpo=
=gscN
-----END PGP SIGNATURE-----


More information about the Mailman-announce mailing list