=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2011/VULN139
_____________________________________________________________________

DATE                      : 21/02/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Mailman versions up to and including 2.1.14.

======================================================================
http://mail.python.org/pipermail/mailman-announce/2011-February/000157.html
http://mail.python.org/pipermail/mailman-announce/2011-February/000158.html
______________________________________________________________________

An XXS vulnerability affecting Mailman 2.1.14 and prior versions has
recently been discovered. A patch has been developed to address this
issue. The patch is small, affects only one module and can be applied to
a live installation without requiring a restart.

In order to accommodate those who need some notice before applying such
a patch, the patch will be posted on Friday, 18 February at about 16:00
GMT to the same four lists to which this announcement is addressed.

- --
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan
_______________________________________________________________________

On 2/13/2011 1:58 PM, Mark Sapiro wrote:
> An XXS vulnerability affecting Mailman 2.1.14 and prior versions has
> recently been discovered. A patch has been developed to address this
> issue. The patch is small, affects only one module and can be applied to
> a live installation without requiring a restart.
>
> In order to accommodate those who need some notice before applying such
> a patch, the patch will be posted on Friday, 18 February at about 16:00
> GMT to the same four lists to which this announcement is addressed.


The vulnerability has been assigned CVE-2011-0707.

The patch is attached as confirm_xss.patch.txt.

- --
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan
======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================