Hej,
since no one else seems to use the mailman 2.x package (but I have seen attempts at 3.x in WIP), i just want to share what I have been locally running for the last few month with no noticeable hiccups.
It is basically just following upstream with no changed patches.
This fixes:
2.1.26:
- An XSS vulnerability in the user options CGI could allow a crafted URL
to execute arbitrary javascript in a user's browser. A related issue
could expose information on a user's options page without requiring
login. These are fixed. Thanks to Calum Hutton for the report.
CVE-2018-5950 (LP: #1747209)
2.1.27:
- Existing protections against malicious listowners injecting evil
scripts into listinfo pages have had a few more checks added.
JVN#00846677/JPCERT#97432283
- A few more error messages have had their values HTML escaped.
JVN#00846677/JPCERT#97432283
- The hash generated when SUBSCRIBE_FORM_SECRET is set could have been
the same as one generated at the same time for a different list and
IP address. While this is not thought to be exploitable in any way,
the generation has been changed to avoid this. Thanks to Ralf Jung.
2.1.28:
- A content spoofing vulnerability with invalid list name messages in
the web UI has been fixed. CVE-2018-13796 (LP: #1780874)
Here you go:
Attachment:
2.1.25-2.1.29.diff
Description: Binary data
Cheers Oskar
Attachment:
smime.p7s
Description: S/MIME cryptographic signature