Merge lp:mailman/2.1 up to 1671 (2.1.23)

author: Yasuhito FUTATSUKI at POEM <futatuki@poem.co.jp> 2016-08-28 00:30:29 +0900
committer: Yasuhito FUTATSUKI at POEM <futatuki@poem.co.jp> 2016-08-28 00:30:29 +0900
commit: 0aaf0a65b317cf64ff47595b4c57c3fa4a97dc7f (patch)
tree: e47de4b9704acf1d696eb863f3bcfff7e73a1737 /NEWS
parent: a302a27393d816018943cd58e933e17da9398fe7 (diff)
parent: d85ac809ee9d20c0b944082863da9410f7d3e252 (diff)
download: mailman2-0aaf0a65b317cf64ff47595b4c57c3fa4a97dc7f.tar.gz
mailman2-0aaf0a65b317cf64ff47595b4c57c3fa4a97dc7f.tar.xz
mailman2-0aaf0a65b317cf64ff47595b4c57c3fa4a97dc7f.zip
1 files changed, 11 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index d02b8789..2cb22886 100644
--- a/NEWS
+++ b/NEWS
@@ -5,7 +5,17 @@ Copyright (C) 1998-2016 by the Free Software Foundation, Inc.
 
 Here is a history of user visible changes to Mailman.
 
-2.1.23 (xx-xxx-xxxx)
+2.1.23 (27-Aug-2016)
+
+  Security
+
+    - CSRF protection has been extended to the user options page.  This was
+      actually fixed by Tokio Kikuchi as part of the fix for LP: #775294 and
+      intended for Mailman 2.1.15, but that fix wasn't completely merged at the
+      time.  The full fix also addresses the admindb, and edithtml pages as
+      well as the user options page and the previously fixed admin pages.
+      Thanks to Nishant Agarwala for reporting the issue.  CVE-2016-6893
+      (LP: #1614841)
  
   New Features
author	Yasuhito FUTATSUKI at POEM <futatuki@poem.co.jp>	2016-08-28 00:30:29 +0900
committer	Yasuhito FUTATSUKI at POEM <futatuki@poem.co.jp>	2016-08-28 00:30:29 +0900
commit	0aaf0a65b317cf64ff47595b4c57c3fa4a97dc7f (patch)
tree	e47de4b9704acf1d696eb863f3bcfff7e73a1737 /NEWS
parent	a302a27393d816018943cd58e933e17da9398fe7 (diff)
parent	d85ac809ee9d20c0b944082863da9410f7d3e252 (diff)
download	mailman2-0aaf0a65b317cf64ff47595b4c57c3fa4a97dc7f.tar.gz mailman2-0aaf0a65b317cf64ff47595b4c57c3fa4a97dc7f.tar.xz mailman2-0aaf0a65b317cf64ff47595b4c57c3fa4a97dc7f.zip