From f2d4b816b39a77c32562dc8a23b1fcd0e61cc869 Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Thu, 30 Mar 2017 12:20:45 -0700
Subject: Fixed unexploitable XSS attach via crafted HTTP Host: header.

---
 NEWS | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'NEWS')

diff --git a/NEWS b/NEWS
index eaa202a1..083f4027 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,12 @@ Here is a history of user visible changes to Mailman.
 
 2.1.24 (xx-xxx-xxxx)
 
+  Security
+
+    - A most likely unexploitable XSS attach that relies on the Mailman web
+      server passing a crafted Host: header to the CGI environment has been
+      fixed.  Apache for one is not vulnerable.  Thanks to Alqnas Eslam.
+
   New Features
 
     - cron/senddigests has a new -e/--exceptlist option to send pending
-- 
cgit v1.2.3