aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMark Sapiro <mark@msapiro.net>2020-05-05 08:08:54 -0700
committerMark Sapiro <mark@msapiro.net>2020-05-05 08:08:54 -0700
commitbb493df55fe504a0dd4f743ad48837fd18eb9888 (patch)
treec8f770a913249f6d32435d173c31986076317389
parent12155455f6afa9243c18077bdd064fceb428e56c (diff)
downloadmailman2-bb493df55fe504a0dd4f743ad48837fd18eb9888.tar.gz
mailman2-bb493df55fe504a0dd4f743ad48837fd18eb9888.tar.xz
mailman2-bb493df55fe504a0dd4f743ad48837fd18eb9888.zip
Fixed options login content injection vulnerability.
-rw-r--r--Mailman/Cgi/options.py2
-rw-r--r--NEWS7
2 files changed, 7 insertions, 2 deletions
diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py
index 641ec134..ee2293e2 100644
--- a/Mailman/Cgi/options.py
+++ b/Mailman/Cgi/options.py
@@ -173,7 +173,7 @@ def main():
try:
Utils.ValidateEmail(user)
except Errors.EmailAddressError:
- doc.addError(_('Illegal Email Address: %(safeuser)s'))
+ doc.addError(_('Illegal Email Address'))
loginpage(mlist, doc, None, language)
print doc.Format()
return
diff --git a/NEWS b/NEWS
index 5e35d462..e9715d13 100644
--- a/NEWS
+++ b/NEWS
@@ -5,7 +5,12 @@ Copyright (C) 1998-2018 by the Free Software Foundation, Inc.
Here is a history of user visible changes to Mailman.
-2.1.30-1 (xx-xxx-xxxx)
+2.1.31 (05-May-2020)
+
+ Security
+
+ - A content injection vulnerability via the options login page has been
+ discovered and reported by Vishal Singh. This is fixed. (LP: #1873722)
i18n