From bb493df55fe504a0dd4f743ad48837fd18eb9888 Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Tue, 5 May 2020 08:08:54 -0700
Subject: Fixed options login content injection vulnerability.

---
 Mailman/Cgi/options.py | 2 +-
 NEWS                   | 7 ++++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py
index 641ec134..ee2293e2 100644
--- a/Mailman/Cgi/options.py
+++ b/Mailman/Cgi/options.py
@@ -173,7 +173,7 @@ def main():
     try:
         Utils.ValidateEmail(user)
     except Errors.EmailAddressError:
-        doc.addError(_('Illegal Email Address: %(safeuser)s'))
+        doc.addError(_('Illegal Email Address'))
         loginpage(mlist, doc, None, language)
         print doc.Format()
         return
diff --git a/NEWS b/NEWS
index 5e35d462..e9715d13 100644
--- a/NEWS
+++ b/NEWS
@@ -5,7 +5,12 @@ Copyright (C) 1998-2018 by the Free Software Foundation, Inc.
 
 Here is a history of user visible changes to Mailman.
 
-2.1.30-1 (xx-xxx-xxxx)
+2.1.31 (05-May-2020)
+
+  Security
+
+    - A content injection vulnerability via the options login page has been
+      discovered and reported by Vishal Singh. This is fixed.  (LP: #1873722)
 
   i18n
 
-- 
cgit v1.2.3