[Mailman-Users] Should CSRF check disregard case of addresses?

2021-12-13 Thread Sebastian Hagedorn
Hi, thanks for the recent security fixes regarding potential CSRF attacks! I checked our mischief logs for relevant messages today and the only one I found was this: Nov 24 19:33:24 2021 (117276) Form for user x...@smail.uni-koeln.de submitted with CSRF token issued for x...@smail.uni-koeln.

[Mailman-Users] Re: Should CSRF check disregard case of addresses?

2021-12-13 Thread Mailman-admin
Hello Am 13.12.21 um 12:09 schrieb Sebastian Hagedorn: > Hi, > > thanks for the recent security fixes regarding potential CSRF attacks! I > checked our mischief logs for relevant messages today and the only one I > found was this: > > Nov 24 19:33:24 2021 (117276) Form for user x...@smail.uni-ko

[Mailman-Users] Re: Should CSRF check disregard case of addresses?

2021-12-13 Thread Stephen J. Turnbull
Mailman-admin writes: > Am 13.12.21 um 12:09 schrieb Sebastian Hagedorn: > > Nov 24 19:33:24 2021 (117276) Form for user x...@smail.uni-koeln.de > > submitted with CSRF token issued for x...@smail.uni-koeln.de. > > > > The only difference is in the case of the email address. I’m no expert >

[Mailman-Users] Re: Should CSRF check disregard case of addresses?

2021-12-13 Thread Mark Sapiro
On 12/13/21 10:02 AM, Stephen J. Turnbull wrote: On the other hand, whether they should be equivalent for CSRF validation is another question. Since the CSRF validation is supposed to be entirely transparent to the user, I would (naively) expect that the strings representing the same address in

[Mailman-Users] Re: Should CSRF check disregard case of addresses?

2021-12-13 Thread Bill Cole
On 2021-12-13 at 13:02:22 UTC-0500 (Tue, 14 Dec 2021 03:02:22 +0900) Stephen J. Turnbull is rumored to have said: Mailman-admin writes: Am 13.12.21 um 12:09 schrieb Sebastian Hagedorn: Nov 24 19:33:24 2021 (117276) Form for user x...@smail.uni-koeln.de submitted with CSRF token issued for x

[Mailman-Users] Re: Should CSRF check disregard case of addresses?

2021-12-13 Thread Mark Sapiro
On 12/13/21 10:36 AM, Bill Cole wrote: Also simple: NEVER try to interpret or canonicalize local-parts that exist in someone else's domain. You cannot programmatically determine whether 2 different local-parts are equivalent unless you run the delivery system for them. This is correct and

[Mailman-Users] Re: Should CSRF check disregard case of addresses?

2021-12-13 Thread Stephen J. Turnbull
Bill Cole writes: > > So this is potentially very complicated. > > Case-squashing domain parts? Not complicated. Simple. This is true if you are talking about following the Internet's rules. I wasn't; I was talking about equivalencing identity tokens that happen to look like email addresses.

[Mailman-Users] Mailman 2.1.39 Release

2021-12-13 Thread Mark Sapiro
I am pleased to announce the release of Mailman 2.1.39. This is a bug fix release. It fixes https://bugs.launchpad.net/mailman/+bug/1954694 This addresses two issues. The fix for CVE-2021-42097 was case sensitive and should not be. The fix for CVE-2021-44227 introduced a potential NameError i