[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Mailman 2.1.35 security release
From: Alan Coopersmith <alan.coopersmith () oracle ! com>
Date: 2021-10-21 19:04:47
Message-ID: a27e3c69-2e14-929c-0a57-42427760b778 () oracle ! com
[Download RAW message or body]
Quoting from Mark Sapiro's emails at:
https://mail.python.org/archives/list/mailman-announce@python.org/thread/IKCO6JU755AP5G5TKMBJL6IEZQTTNPDQ/
> A couple of vulnerabilities have recently been reported. Thanks to Andre
> Protas, Richard Cloke and Andy Nuttall of Apple for reporting these and
> helping with the development of a fix.
>
> CVE-2021-42096 could allow a list member to discover the list admin
> password.
>
> CVE-2021-42097 could allow a list member to create a successful CSRF
> attack against another list member enabling takeover of the members account.
>
> These attacks can't be carried out by non-members so may not be of
> concern for sites with only trusted list members.
> I am pleased to announce the release of Mailman 2.1.35.
>
> This is a security and minor bug fix release. See the attached
> README.txt for details. For those who just want a patch for the security
> issues, see
> https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1873.
> The patch is also attached to the bug reports at
> https://bugs.launchpad.net/mailman/+bug/1947639 and
> https://bugs.launchpad.net/mailman/+bug/1947640. The patch is the same
> on both and fixes both issues.
>
> As noted Mailman 2.1.30 was the last feature release of the Mailman 2.1
> branch from the GNU Mailman project. There has been some discussion as
> to what this means. It means there will be no more releases from the GNU
> Mailman project containing any new features. There may be future patch
> releases to address the following:
>
> i18n updates.
> security issues.
> bugs affecting operation for which no satisfactory workaround exists.
>
> Mailman 2.1.35 is the fifth such patch release.
>
> Mailman is free software for managing email mailing lists and
> e-newsletters. Mailman is used for all the python.org and
> SourceForge.net mailing lists, as well as at hundreds of other sites.
>
> For more information, please see our web site at one of:
>
> http://www.list.org
> https://www.gnu.org/software/mailman
> http://mailman.sourceforge.net/
>
> Mailman 2.1.35 can be downloaded from
>
> https://launchpad.net/mailman/2.1/
> https://ftp.gnu.org/gnu/mailman/
> https://sourceforge.net/projects/mailman/
--
-Alan Coopersmith- alan.coopersmith@oracle.com
Oracle Solaris Engineering - https://blogs.oracle.com/alanc
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic