[Mailman-Users] Security patch and Mailman 2.1.20 to be released on 31 March

Mark Sapiro mark at msapiro.net
Sat Mar 28 17:29:35 CET 2015

On 03/28/2015 05:24 AM, Roland Miyamoto wrote:
> Thank you, Mark,
> For this anouncement.
> Does the vulnerabilitiy also affect older Mailman releases, like
> 2.1.15, e.g.?

Yes, but the actual number of sites that are vulnerable is probably
small. More information will be available on Tuesday, but I think only
one class of sites which doesn't include you is primarily vulnerable.

> If so, how do I make sure to incorporate the fix soon after next
> Tuesday, when the world will learn about the details?
> I am running Mailman 2.1.15 under Debian 7.
> Will the fix be included in the usual repository updates?

The fix will be in Mailman 2.1.20 which will be available in all the
usual upstream places. It will also be in the official Mailman 2.1
branch at <https://code.launchpad.net/~mailman-coders/mailman/2.1>.

Its inclusion in Debian and other downstream packages is beyond my
control, and I can't say when this might occur.

The actual fix, exclusive of comments, adds 3 lines of code to one place
in one module. This patch will be included in the announcement I post on
Tuesday, so you can just apply it and restart Mailman. It will apply
with at most a line number offset and work with any Mailman version
2.1.11 or newer.

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/mailman-users/attachments/20150328/1a7e9316/attachment.sig>

More information about the Mailman-Users mailing list