Fix XSS and info leak in options CGI - CVE-2018-5950

author: Mark Sapiro <mark@msapiro.net> 2018-02-04 08:41:19 -0800
committer: Mark Sapiro <mark@msapiro.net> 2018-02-04 08:41:19 -0800
commit: 2dfcd18a5d2982f2f21ff02539f992ba5041808c (patch)
tree: fa2bdc690c692e719f9c61e0244e04820c504393 /NEWS
parent: bcd476a43f2365a48db8c17d0a7076b6a2e0ce92 (diff)
download: mailman2-2dfcd18a5d2982f2f21ff02539f992ba5041808c.tar.gz
mailman2-2dfcd18a5d2982f2f21ff02539f992ba5041808c.tar.xz
mailman2-2dfcd18a5d2982f2f21ff02539f992ba5041808c.zip
1 files changed, 9 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index b1af8bfb..5f66485c 100644
--- a/NEWS
+++ b/NEWS
@@ -5,7 +5,15 @@ Copyright (C) 1998-2018 by the Free Software Foundation, Inc.
 
 Here is a history of user visible changes to Mailman.
 
-2.1.26 (xx-xxx-xxxx)
+2.1.26 (04-Feb-2018)
+
+  Security
+
+    - An XSS vulnerability in the user options CGI could allow a crafted URL
+      to execute arbitrary javascript in a user's browser.  A related issue
+      could expose information on a user's options page without requiring
+      login.  These are fixed.  Thanks to Calum Hutton for the report.
+      CVE-2018-5950  (LP: #1747209)
 
   New Features
author	Mark Sapiro <mark@msapiro.net>	2018-02-04 08:41:19 -0800
committer	Mark Sapiro <mark@msapiro.net>	2018-02-04 08:41:19 -0800
commit	2dfcd18a5d2982f2f21ff02539f992ba5041808c (patch)
tree	fa2bdc690c692e719f9c61e0244e04820c504393 /NEWS
parent	bcd476a43f2365a48db8c17d0a7076b6a2e0ce92 (diff)
download	mailman2-2dfcd18a5d2982f2f21ff02539f992ba5041808c.tar.gz mailman2-2dfcd18a5d2982f2f21ff02539f992ba5041808c.tar.xz mailman2-2dfcd18a5d2982f2f21ff02539f992ba5041808c.zip