There is a CSRF vulnerability associated with the user options page. This could conceivably allow an attacker to obtain a user's password.
This is reported at <https://bugs.launchpad.net/mailman/+bug/1614841>. I have developed a fix which is a small patch to two modules. I plan to release Mailman 2.1.23 with this and other fixes on Saturday, Aug 27 and also to post at the same time the patch which can be applied stand-alone. Neither the bug report nor the fix reveals much detail about the attack, but to allay any concern, I'm delaying the release for a week to allow people to plan for installation of at least the patch at the time of release. -- Mark Sapiro <m...@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
