diff options
| -rw-r--r-- | Mailman/Cgi/options.py | 2 | ||||
| -rw-r--r-- | NEWS | 12 |
2 files changed, 14 insertions, 0 deletions
diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py index 60b7d9b6..3db0a172 100644 --- a/Mailman/Cgi/options.py +++ b/Mailman/Cgi/options.py @@ -346,6 +346,8 @@ def main(): varhelp = qs[0] if varhelp: # Sanitize the topic name. + while '%' in varhelp: + varhelp = urllib.unquote_plus(varhelp) varhelp = re.sub('<.*', '', varhelp) topic_details(mlist, doc, user, cpuser, userlang, varhelp) return @@ -5,6 +5,18 @@ Copyright (C) 1998-2020 by the Free Software Foundation, Inc. Here is a history of user visible changes to Mailman. +2.1.36 (xx-Nov-2021) + + Security + + - A potential XSS attack via the user options page has been reported by + Harsh Jaiswal. This is fixed. CVE-2021-43331 (LP:#1949401) + + - A potential for for a list moderator to carry out an off-line brute force + attack to obtain the list admin password has been reported by Andre + Protas, Richard Cloke and Andy Nuttall of Apple. This is fixed. + CVE-2021-43332 (LP:#1949403) + 2.1.35 (19-Oct-2021) Security |