Membership information leak through options page.

Bug #2017813 reported by Mark Sapiro
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GNU Mailman
Fix Committed
Mark Sapiro

Bug Description

The fix for #2015416 was incomplete. The options login page returned from an invalid login with private rosters is still subtly different between the `email is not a list member` and the `email is a list member but password is incorrect` cases.

Related branches

Revision history for this message
Mark Sapiro (msapiro) wrote :

The fix for this specific issue is simple. See but it depends on other changes since the 2.1.39 release, a patch against that base is attached.

Mark Sapiro (msapiro)
Changed in mailman:
status: New → Fix Committed
information type: Private Security → Public
Revision history for this message
Mark Sapiro (msapiro) wrote :

The prior fix for this issue at created another possible leak. This has been corrected at and an updated patch against the 2.1.39 base is attached.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.