[Mailman-Users] Mailman CSRF Vulnerability

Mark Sapiro mark at msapiro.net
Tue Jan 9 12:10:57 EST 2018

On 01/08/2018 09:43 PM, Lindsay Haisley wrote:
> I just installed a new list on MM 2.1.18-1 and one of the sharper folks
> on a related FB group noted that there is, or had been a CSRF
> vulnerability on some versions of MM2. A little research turned up
> <https://bugs.launchpad.net/mailman/+bug/775294> in which Mark states
> that this has been fixed since 2.1.15. For the record, could someone
> confirm this?

It should have been fixed in 2.1.15, but for some reason, only part of
the fix was merged and released with 2.1.15. The vulnerability in the
web admin interface was fixed in 2.1.15, but the admindb, edithtml and
options interfaces were still vulnerable. These were not fixed until 2.1.23.

See <https://bugs.launchpad.net/mailman/+bug/1614841>. The comment
thread contains a link to a patch to fix versions >= 2.1.15 and <=
2.1.22, however the version "2.1.18-1" indicates this is some distro's
package and the patch may have already been backported.

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list