'[oss-security] Mailman 2.1.35 security release'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Mailman 2.1.35 security release
From:       Alan Coopersmith <alan.coopersmith () oracle ! com>
Date:       2021-10-21 19:04:47
Message-ID: a27e3c69-2e14-929c-0a57-42427760b778 () oracle ! com
[Download RAW message or body]

Quoting from Mark Sapiro's emails at:
https://mail.python.org/archives/list/mailman-announce@python.org/thread/IKCO6JU755AP5G5TKMBJL6IEZQTTNPDQ/

> A couple of vulnerabilities have recently been reported. Thanks to Andre 
> Protas, Richard Cloke and Andy Nuttall of Apple for reporting these and 
> helping with the development of a fix.
> 
> CVE-2021-42096 could allow a list member to discover the list admin 
> password.
> 
> CVE-2021-42097 could allow a list member to create a successful CSRF 
> attack against another list member enabling takeover of the members account.
> 
> These attacks can't be carried out by non-members so may not be of 
> concern for sites with only trusted list members.


> I am pleased to announce the release of Mailman 2.1.35.
> 
> This is a security and minor bug fix release. See the attached 
> README.txt for details. For those who just want a patch for the security 
> issues, see 
> https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1873.
> The patch is also attached to the bug reports at 
> https://bugs.launchpad.net/mailman/+bug/1947639 and 
> https://bugs.launchpad.net/mailman/+bug/1947640. The patch is the same 
> on both and fixes both issues.
> 
> As noted Mailman 2.1.30 was the last feature release of the Mailman 2.1
> branch from the GNU Mailman project. There has been some discussion as
> to what this means. It means there will be no more releases from the GNU
> Mailman project containing any new features. There may be future patch
> releases to address the following:
> 
> i18n updates.
> security issues.
> bugs affecting operation for which no satisfactory workaround exists.
> 
> Mailman 2.1.35 is the fifth such patch release.
> 
> Mailman is free software for managing email mailing lists and
> e-newsletters. Mailman is used for all the python.org and
> SourceForge.net mailing lists, as well as at hundreds of other sites.
> 
> For more information, please see our web site at one of:
> 
> http://www.list.org
> https://www.gnu.org/software/mailman
> http://mailman.sourceforge.net/
> 
> Mailman 2.1.35 can be downloaded from
> 
> https://launchpad.net/mailman/2.1/
> https://ftp.gnu.org/gnu/mailman/
> https://sourceforge.net/projects/mailman/

-- 
	-Alan Coopersmith-               alan.coopersmith@oracle.com
	 Oracle Solaris Engineering - https://blogs.oracle.com/alanc
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic