GNU Mailman

Membership information leak through options page

Bug #1968443 reported by Evangelos Foutras on 2022-04-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	GNU Mailman	Fix Committed	Medium	Mark Sapiro	GNU Mailman 2.1.40

Bug Description

Using mailman 2.1.39 with the recent fixes for bug 1961762 applied on top. [1] [2]

A user has noticed the following behavior on our list with private_roster = 1 (List members): [3]

==========================
When using the Remind button:

"If you are a list member, your password has been emailed to you." is only displayed when the entered email is on the list.

The same thing happens with the Unsubscribe button, "If you are a list member, a confirmation email has been sent." is only displayed when the entered email is on the list.
==========================

[1] https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1887
[2] https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1888
[3] https://bugs.archlinux.org/task/74424

Related branches

lp:mailman/2.1

Mark Sapiro (msapiro) on 2022-04-17

Changed in mailman:
importance:	Undecided → Medium
milestone:	none → 2.1.40
status:	New → Confirmed

Mark Sapiro (msapiro) on 2022-07-10

Changed in mailman:
assignee:	nobody → Mark Sapiro (msapiro)
status:	Confirmed → Fix Committed

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.