From 2dfcd18a5d2982f2f21ff02539f992ba5041808c Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Sun, 4 Feb 2018 08:41:19 -0800
Subject: Fix XSS and info leak in options CGI - CVE-2018-5950

---
 NEWS | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'NEWS')

diff --git a/NEWS b/NEWS
index b1af8bfb..5f66485c 100644
--- a/NEWS
+++ b/NEWS
@@ -5,7 +5,15 @@ Copyright (C) 1998-2018 by the Free Software Foundation, Inc.
 
 Here is a history of user visible changes to Mailman.
 
-2.1.26 (xx-xxx-xxxx)
+2.1.26 (04-Feb-2018)
+
+  Security
+
+    - An XSS vulnerability in the user options CGI could allow a crafted URL
+      to execute arbitrary javascript in a user's browser.  A related issue
+      could expose information on a user's options page without requiring
+      login.  These are fixed.  Thanks to Calum Hutton for the report.
+      CVE-2018-5950  (LP: #1747209)
 
   New Features
 
-- 
cgit v1.2.3