18 Feb 2011 17:01
Re: Mailman Security Patch Announcement
Mark Sapiro <mark <at> msapiro.net>
2011-02-18 16:01:57 GMT
2011-02-18 16:01:57 GMT
On 2/13/2011 1:58 PM, Mark Sapiro wrote: > An XXS vulnerability affecting Mailman 2.1.14 and prior versions has > recently been discovered. A patch has been developed to address this > issue. The patch is small, affects only one module and can be applied to > a live installation without requiring a restart. > > In order to accommodate those who need some notice before applying such > a patch, the patch will be posted on Friday, 18 February at about 16:00 > GMT to the same four lists to which this announcement is addressed. The vulnerability has been assigned CVE-2011-0707. The patch is attached as confirm_xss.patch.txt. -- Mark Sapiro <mark <at> msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
=== modified file 'Mailman/Cgi/confirm.py'
--- Mailman/Cgi/confirm.py 2010-03-29 20:48:11 +0000
+++ Mailman/Cgi/confirm.py 2011-02-12 02:24:47 +0000
<at> <at> -471,7 +471,7 <at> <at>
if fullname is None:
fullname = _('<em>Not available</em>')
else:
- fullname = Utils.uncanonstr(fullname, lang)
+ fullname = Utils.websafe(Utils.uncanonstr(fullname, lang))
table.AddRow([_("""Your confirmation is required in order to complete the
unsubscription request from the mailing list <em>%(listname)s</em>. You
are currently subscribed with
<at> <at> -573,7 +573,7 <at> <at>
if fullname is None:
fullname = _('<em>Not available</em>')
else:
- fullname = Utils.uncanonstr(fullname, lang)
+ fullname = Utils.websafe(Utils.uncanonstr(fullname, lang))
if globally:
globallys = _('globally')
else:
<at> <at> -814,7 +814,7 <at> <at>
if username is None:
username = _('<em>not available</em>')
else:
- username = Utils.uncanonstr(username, lang)
+ username = Utils.websafe(Utils.uncanonstr(username, lang))
table.AddRow([_("""Your membership in the %(realname)s mailing list is
currently disabled due to excessive bounces. Your confirmation is
RSS Feed