From 5ea7ee4e955d96177e461b0a1f2c2be04df12ea8 Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Mon, 18 Oct 2021 16:56:42 -0700
Subject: Fixes for CVEs 2021-42096 and 2021-42097.

---
 NEWS | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'NEWS')

diff --git a/NEWS b/NEWS
index 31c6925b..86b09d70 100644
--- a/NEWS
+++ b/NEWS
@@ -5,7 +5,17 @@ Copyright (C) 1998-2020 by the Free Software Foundation, Inc.
 
 Here is a history of user visible changes to Mailman.
 
-2.1.35 (xx-xxx-xxxx)
+2.1.35 (19-Oct-2021)
+
+  Security
+
+    - A potential for for a list member to carry out an off-line brute force
+      attack to obtain the list admin password has been reported by Andre
+      Protas, Richard Cloke and Andy Nuttall of Apple.  This is fixed.
+      CVE-2021-42096  (LP:#1947639)
+
+    - A CSRF attack via the user options page could allow takeover of a users
+      account.  This is fixed.  CVE-2021-42097  (LP:#1947640)
 
   Bug Fixes and other patches
 
-- 
cgit v1.2.3