[Mailman-Announce] Mailman security patch.

Mark Sapiro mark at msapiro.net
Thu Sep 9 15:46:16 CEST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 9/4/2010 5:59 PM, Mark Sapiro wrote:
> I plan to release a Mailman 2.1.14 candidate release towards the end of
> next week (Sept 9 or 10). This release will have enhanced XSS defenses
> addressing two recently discovered vulnerabilities. Since release of the
> code will potentially expose the vulnerabilities, I plan to publish a
> patch against the 2.1.13 base with the fix before actually releasing the
> 2.1.14 candidate.
> 
> I will post the patch to the same 4 lists that this post is being sent
> to in the early afternoon, GMT, on September 9.
> 
> The vulnerabilities are obscure and can only be exploited by a list
> owner, but if you are concerned about them you can plan to install the
> patch.


The patch is attached. Since it only affects the web CGIs, it can be
applied and will be effective without restarting Mailman, although since
it includes a patch to Utils.py which is imported by the qrunners, a
restart of Mailman is advisable as soon as convenient after applying the
patch.

- -- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFMiOUnVVuXXpU7hpMRAkWlAJoCqVN2gSlNummYeDfq+BHcVfSKhACg5qrJ
7Idyd0aET0xWy11P6njxT3w=
=9uxx
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: xss.patch.txt
URL: <http://mail.python.org/pipermail/mailman-announce/attachments/20100909/c9d893e6/attachment.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xss.patch.txt.sig
Type: application/octet-stream
Size: 65 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/mailman-announce/attachments/20100909/c9d893e6/attachment.obj>


More information about the Mailman-announce mailing list