[Mailman-Users] Mailman CSRF Vulnerability

Lindsay Haisley fmouse at fmp.com
Wed Jan 10 23:47:34 EST 2018

On Tue, 2018-01-09 at 09:10 -0800, Mark Sapiro wrote:
> See <https://bugs.launchpad.net/mailman/+bug/1614841>. The comment
> thread contains a link to a patch to fix versions >= 2.1.15 and <=
> 2.1.22, however the version "2.1.18-1" indicates this is some distro's
> package and the patch may have already been backported.

Actually not. "2.1.18-1" was the first full implementation of DMARC
mitigation from y'all. It's listed as a standard version at
http://www.securiteam.com/securitynews/6P03K0AHFA.html which shows it
as vulnerable to a CSRF attack. I always build MM from source and
haven't used a distro-provided version in years. I should probably
update my installation to the latest version. I came on bug #775294 and
apparently my version is vulnerable.

Upgrading MM2 here is a bit of a PITA since I have to do a lot of
patching to support the hacks I've done to MM over the years.

Lindsay Haisley       | "The first casualty when
FMP Computer Services |         war comes is truth."
512-259-1190          |            
http://www.fmp.com    |     -- Hiram W Johnson

More information about the Mailman-Users mailing list