[Mailman-Users] Mailman CSRF Vulnerability
fmouse at fmp.com
Wed Jan 10 23:47:34 EST 2018
On Tue, 2018-01-09 at 09:10 -0800, Mark Sapiro wrote:
> See <https://bugs.launchpad.net/mailman/+bug/1614841>. The comment
> thread contains a link to a patch to fix versions >= 2.1.15 and <=
> 2.1.22, however the version "2.1.18-1" indicates this is some distro's
> package and the patch may have already been backported.
Actually not. "2.1.18-1" was the first full implementation of DMARC
mitigation from y'all. It's listed as a standard version at
http://www.securiteam.com/securitynews/6P03K0AHFA.html which shows it
as vulnerable to a CSRF attack. I always build MM from source and
haven't used a distro-provided version in years. I should probably
update my installation to the latest version. I came on bug #775294 and
apparently my version is vulnerable.
Upgrading MM2 here is a bit of a PITA since I have to do a lot of
patching to support the hacks I've done to MM over the years.
Lindsay Haisley | "The first casualty when
FMP Computer Services | war comes is truth."
http://www.fmp.com | -- Hiram W Johnson
More information about the Mailman-Users