[Mailman-Developers] Imminent release of a Mailman security fix.

Mark Sapiro mark at msapiro.net
Fri Aug 19 03:09:53 EDT 2016


There is a CSRF vulnerability associated with the user options page.
This could conceivably allow an attacker to obtain a user's password.

This is reported at <https://bugs.launchpad.net/mailman/+bug/1614841>.

I have developed a fix which is a small patch to two modules. I plan to
release Mailman 2.1.23 with this and other fixes on Saturday, Aug 27 and
also to post at the same time the patch which can be applied stand-alone.

Neither the bug report nor the fix reveals much detail about the attack,
but to allay any concern, I'm delaying the release for a week to allow
people to plan for installation of at least the patch at the time of
release.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/mailman-developers/attachments/20160819/b9e0ee76/attachment.sig>


More information about the Mailman-Developers mailing list