<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Mailman 2.1.35 security release
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Thu, 21 Oct 2021 12:04:47 -0700
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Quoting from Mark Sapiro's emails at:
https://mail.python.org/archives/list/mailman-announce () python org/thread/IKCO6JU755AP5G5TKMBJL6IEZQTTNPDQ/
A couple of vulnerabilities have recently been reported. Thanks to Andre
Protas, Richard Cloke and Andy Nuttall of Apple for reporting these and
helping with the development of a fix.
CVE-2021-42096 could allow a list member to discover the list admin
password.
CVE-2021-42097 could allow a list member to create a successful CSRF
attack against another list member enabling takeover of the members account.
These attacks can't be carried out by non-members so may not be of
concern for sites with only trusted list members.
I am pleased to announce the release of Mailman 2.1.35.
This is a security and minor bug fix release. See the attached
README.txt for details. For those who just want a patch for the security
issues, see
https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1873.
The patch is also attached to the bug reports at
https://bugs.launchpad.net/mailman/+bug/1947639 and
https://bugs.launchpad.net/mailman/+bug/1947640. The patch is the same
on both and fixes both issues.
As noted Mailman 2.1.30 was the last feature release of the Mailman 2.1
branch from the GNU Mailman project. There has been some discussion as
to what this means. It means there will be no more releases from the GNU
Mailman project containing any new features. There may be future patch
releases to address the following:
i18n updates.
security issues.
bugs affecting operation for which no satisfactory workaround exists.
Mailman 2.1.35 is the fifth such patch release.
Mailman is free software for managing email mailing lists and
e-newsletters. Mailman is used for all the python.org and
SourceForge.net mailing lists, as well as at hundreds of other sites.
For more information, please see our web site at one of:
http://www.list.org
https://www.gnu.org/software/mailman
http://mailman.sourceforge.net/
Mailman 2.1.35 can be downloaded from
https://launchpad.net/mailman/2.1/
https://ftp.gnu.org/gnu/mailman/
https://sourceforge.net/projects/mailman/
--
-Alan Coopersmith- alan.coopersmith () oracle com
Oracle Solaris Engineering - https://blogs.oracle.com/alanc
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Mailman 2.1.35 security release Alan Coopersmith (Oct 21)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->