GNU Mailman

Membership information leak through options page.

Bug #2017813 reported by Mark Sapiro
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GNU Mailman
Fix Committed
Low
Mark Sapiro
GNU Mailman 2.1.40

Bug Description

The fix for #2015416 was incomplete. The options login page returned from an invalid login with private rosters is still subtly different between the `email is not a list member` and the `email is a list member but password is incorrect` cases.

Related branches

lp://staging/mailman/2.1
Revision history for this message
Mark Sapiro (msapiro) wrote :

The fix for this specific issue is simple. See https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1892 but it depends on other changes since the 2.1.39 release, a patch against that base is attached.

Mark Sapiro (msapiro)
Changed in mailman:
status: New → Fix Committed
information type: Private Security → Public
Revision history for this message
Mark Sapiro (msapiro) wrote :

The prior fix for this issue at https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1892 created another possible leak. This has been corrected at https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1893 and an updated patch against the 2.1.39 base is attached.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.