Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2021-42096 CVE-2021-42097

Source

                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Mailman 2.1.35 security release

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Alan Coopersmith &lt;alan.coopersmith () oracle com&gt;

Date: Thu, 21 Oct 2021 12:04:47 -0700

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Quoting from Mark Sapiro's emails at:
https://mail.python.org/archives/list/mailman-announce () python org/thread/IKCO6JU755AP5G5TKMBJL6IEZQTTNPDQ/

A couple of vulnerabilities have recently been reported. Thanks to Andre 
Protas, Richard Cloke and Andy Nuttall of Apple for reporting these and 
helping with the development of a fix.

CVE-2021-42096 could allow a list member to discover the list admin 
password.

CVE-2021-42097 could allow a list member to create a successful CSRF 
attack against another list member enabling takeover of the members account.

These attacks can't be carried out by non-members so may not be of 
concern for sites with only trusted list members.

I am pleased to announce the release of Mailman 2.1.35.

This is a security and minor bug fix release. See the attached 
README.txt for details. For those who just want a patch for the security 
issues, see 
https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1873.
The patch is also attached to the bug reports at 
https://bugs.launchpad.net/mailman/+bug/1947639 and 
https://bugs.launchpad.net/mailman/+bug/1947640. The patch is the same 
on both and fixes both issues.

As noted Mailman 2.1.30 was the last feature release of the Mailman 2.1
branch from the GNU Mailman project. There has been some discussion as
to what this means. It means there will be no more releases from the GNU
Mailman project containing any new features. There may be future patch
releases to address the following:

i18n updates.
security issues.
bugs affecting operation for which no satisfactory workaround exists.

Mailman 2.1.35 is the fifth such patch release.

Mailman is free software for managing email mailing lists and
e-newsletters. Mailman is used for all the python.org and
SourceForge.net mailing lists, as well as at hundreds of other sites.

For more information, please see our web site at one of:

http://www.list.org
https://www.gnu.org/software/mailman
http://mailman.sourceforge.net/

Mailman 2.1.35 can be downloaded from

https://launchpad.net/mailman/2.1/
https://ftp.gnu.org/gnu/mailman/
https://sourceforge.net/projects/mailman/

--
        -Alan Coopersmith-               alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/alanc

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

Mailman 2.1.35 security release Alan Coopersmith (Oct 21)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

Mailman 2.1.35 security release

Vulmon Search

About

Products

Connect