[Mailman-Developers] New vulnerability in Hyperkitty master branch

Sun, 05 Sep 2021 16:00:03 -0700 

 Hey Everyone,
A new vulnerability was reported against Hyperkitty’s git master branch branch which can expose the archives of a private Mailing List through the new Feeds API that was added to Hyperkitty recently to someone who isn't a member or logged-in. 

Thanks to Ngo Wei Lin for reporting this vulnerability.


This bug does not affect any stable released version of Hyperkitty and 
only affects installations from source (1.3.5b1 version). To 
differentiate from the vulnerable version, I have bumped the version in 
master branch to 1.3.5b2, so if you have 1.3.5b1 installed, you should 
upgrade!



The fix for this bug has been committed to master branch[1][2] less than 
an hour ago as of this writing. If you are using git branches to install 
Hyperkitty, you can upgrade using the following command:



    $ pip install --upgrade 
git+https://gitlab.com/mailman/hyperkitty@master



I have also triggered a build for Mailman container images[3] with this 
changes, so if you are using the rolling container images (which are the 
only affected ones), then you should upgrade to the latest one when the 
build[1] finishes (approximately in next 30mins).



Do note that this version of rolling release of mailman-web image also 
includes the fix for the vulnerability announced against Postoruis 
earlier today.



You can verify that you have the fixed version of Hyperkitty in the 
image by running:


    $ docker run -it --entrypoint bash maxking/mailman-web:rolling
    bash-5.0# pip list | grep HyperKitty
    HyperKitty          1.3.5b2

Ensure that you get 1.3.5b2 version.


[1]: https://gitlab.com/mailman/hyperkitty/-/merge_requests/362

[2]: 
https://gitlab.com/mailman/hyperkitty/-/commit/ed086015acbf66ba377e2af7f6e782bd32d1f283

[3]: https://github.com/maxking/docker-mailman/runs/3519658592


--
thanks,
Abhilash Raj (maxking)
_______________________________________________
Mailman-Developers mailing list -- mailman-developers@python.org
To unsubscribe send an email to mailman-developers-le...@python.org
https://mail.python.org/mailman3/lists/mailman-developers.python.org/
Mailman FAQ: https://wiki.list.org/x/AgA3

Security Policy: https://wiki.list.org/x/QIA9














    











					Reply via email to