aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--Mailman/Cgi/options.py2
-rw-r--r--NEWS12
2 files changed, 14 insertions, 0 deletions
diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py
index 60b7d9b6..3db0a172 100644
--- a/Mailman/Cgi/options.py
+++ b/Mailman/Cgi/options.py
@@ -346,6 +346,8 @@ def main():
varhelp = qs[0]
if varhelp:
# Sanitize the topic name.
+ while '%' in varhelp:
+ varhelp = urllib.unquote_plus(varhelp)
varhelp = re.sub('<.*', '', varhelp)
topic_details(mlist, doc, user, cpuser, userlang, varhelp)
return
diff --git a/NEWS b/NEWS
index 86b09d70..184f968b 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,18 @@ Copyright (C) 1998-2020 by the Free Software Foundation, Inc.
Here is a history of user visible changes to Mailman.
+2.1.36 (xx-Nov-2021)
+
+ Security
+
+ - A potential XSS attack via the user options page has been reported by
+ Harsh Jaiswal. This is fixed. CVE-2021-43331 (LP:#1949401)
+
+ - A potential for for a list moderator to carry out an off-line brute force
+ attack to obtain the list admin password has been reported by Andre
+ Protas, Richard Cloke and Andy Nuttall of Apple. This is fixed.
+ CVE-2021-43332 (LP:#1949403)
+
2.1.35 (19-Oct-2021)
Security