Fixes for CVEs 2021-42096 and 2021-42097.

author: Mark Sapiro <mark@msapiro.net> 2021-10-18 16:56:42 -0700
committer: Mark Sapiro <mark@msapiro.net> 2021-10-18 16:56:42 -0700
commit: 5ea7ee4e955d96177e461b0a1f2c2be04df12ea8 (patch)
tree: ade915f7858d465fa9d837d385b1b4db5704d949 /NEWS
parent: e5cc9a25db87802b300834a890d0c5e274deaf6d (diff)
download: mailman2-5ea7ee4e955d96177e461b0a1f2c2be04df12ea8.tar.gz
mailman2-5ea7ee4e955d96177e461b0a1f2c2be04df12ea8.tar.xz
mailman2-5ea7ee4e955d96177e461b0a1f2c2be04df12ea8.zip
1 files changed, 11 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index 31c6925b..86b09d70 100644
--- a/NEWS
+++ b/NEWS
@@ -5,7 +5,17 @@ Copyright (C) 1998-2020 by the Free Software Foundation, Inc.
 
 Here is a history of user visible changes to Mailman.
 
-2.1.35 (xx-xxx-xxxx)
+2.1.35 (19-Oct-2021)
+
+  Security
+
+    - A potential for for a list member to carry out an off-line brute force
+      attack to obtain the list admin password has been reported by Andre
+      Protas, Richard Cloke and Andy Nuttall of Apple.  This is fixed.
+      CVE-2021-42096  (LP:#1947639)
+
+    - A CSRF attack via the user options page could allow takeover of a users
+      account.  This is fixed.  CVE-2021-42097  (LP:#1947640)
 
   Bug Fixes and other patches
author	Mark Sapiro <mark@msapiro.net>	2021-10-18 16:56:42 -0700
committer	Mark Sapiro <mark@msapiro.net>	2021-10-18 16:56:42 -0700
commit	5ea7ee4e955d96177e461b0a1f2c2be04df12ea8 (patch)
tree	ade915f7858d465fa9d837d385b1b4db5704d949 /NEWS
parent	e5cc9a25db87802b300834a890d0c5e274deaf6d (diff)
download	mailman2-5ea7ee4e955d96177e461b0a1f2c2be04df12ea8.tar.gz mailman2-5ea7ee4e955d96177e461b0a1f2c2be04df12ea8.tar.xz mailman2-5ea7ee4e955d96177e461b0a1f2c2be04df12ea8.zip