Fix a potentail XSS attack via the user options page.

author: Mark Sapiro <mark@msapiro.net> 2021-11-03 12:02:21 -0700
committer: Mark Sapiro <mark@msapiro.net> 2021-11-03 12:02:21 -0700
commit: e17a9218ddd5b614c2a02743cedc9652974af7af (patch)
tree: 5986ad88c29d21e91af700a6f12c67c3cd42b4e2 /NEWS
parent: 488bc552f048eb03f510791eac87cc717370ab59 (diff)
download: mailman2-e17a9218ddd5b614c2a02743cedc9652974af7af.tar.gz
mailman2-e17a9218ddd5b614c2a02743cedc9652974af7af.tar.xz
mailman2-e17a9218ddd5b614c2a02743cedc9652974af7af.zip
1 files changed, 12 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index 86b09d70..184f968b 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,18 @@ Copyright (C) 1998-2020 by the Free Software Foundation, Inc.
 
 Here is a history of user visible changes to Mailman.
 
+2.1.36 (xx-Nov-2021)
+
+  Security
+
+    - A potential XSS attack via the user options page has been reported by
+      Harsh Jaiswal.  This is fixed.  CVE-2021-43331 (LP:#1949401)
+
+    - A potential for for a list moderator to carry out an off-line brute force
+      attack to obtain the list admin password has been reported by Andre
+      Protas, Richard Cloke and Andy Nuttall of Apple.  This is fixed.
+      CVE-2021-43332 (LP:#1949403)
+
 2.1.35 (19-Oct-2021)
 
   Security
author	Mark Sapiro <mark@msapiro.net>	2021-11-03 12:02:21 -0700
committer	Mark Sapiro <mark@msapiro.net>	2021-11-03 12:02:21 -0700
commit	e17a9218ddd5b614c2a02743cedc9652974af7af (patch)
tree	5986ad88c29d21e91af700a6f12c67c3cd42b4e2 /NEWS
parent	488bc552f048eb03f510791eac87cc717370ab59 (diff)
download	mailman2-e17a9218ddd5b614c2a02743cedc9652974af7af.tar.gz mailman2-e17a9218ddd5b614c2a02743cedc9652974af7af.tar.xz mailman2-e17a9218ddd5b614c2a02743cedc9652974af7af.zip