On 11/12/21 4:01 PM, Mark Sapiro wrote:
Mailman 2.1.36 had a serious bug. Thanks to Joel Lord for finding and
reporting it.
I have just released Mailman 2.1.37 to fix that issue. It is reported at
https://bugs.launchpad.net/mailman/+bug/1950833 and is fixed at
https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1878
Mailman 2.1.36 should not be installed - upgrade from Mailman <= 2.1.35
directly to 2.1.37.
For those interested in just a patch, the fix for
https://bugs.launchpad.net/mailman/+bug/1949403 (CVE-2021-43332) in
Mailman 2.1.35 and prior is
```
=== modified file 'Mailman/CSRFcheck.py'
--- old/Mailman/CSRFcheck.py 2021-10-18 23:56:42 +0000
+++ new/Mailman/CSRFcheck.py 2021-11-12 23:06:09 +0000
@@ -45,7 +45,7 @@
for context in contexts:
key, secret = mlist.AuthContextInfo(context, user)
- if key:
+ if key and secret:
break
else:
return None # not authenticated
=== modified file 'Mailman/Cgi/admindb.py'
--- old/Mailman/Cgi/admindb.py 2018-06-17 23:47:34 +0000
+++ new/Mailman/Cgi/admindb.py 2021-11-12 23:05:56 +0000
@@ -59,8 +59,8 @@
else:
ssort = SSENDER
-AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin,
- mm_cfg.AuthListModerator)
+AUTH_CONTEXTS = (mm_cfg.AuthListModerator, mm_cfg.AuthListAdmin,
+ mm_cfg.AuthSiteAdmin)
```
--
Mark Sapiro <m...@msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
------------------------------------------------------
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/
