From bb0383b9174e1afb5939928539bfd9c20c8829f2 Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Wed, 15 Mar 2017 20:39:27 -0700
Subject: Treat message and digest headers and footers as empty if they contain
 only whitespace.

---
 NEWS | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'NEWS')

diff --git a/NEWS b/NEWS
index 0be02873..eaa202a1 100644
--- a/NEWS
+++ b/NEWS
@@ -26,6 +26,9 @@ Here is a history of user visible changes to Mailman.
 
   Bug fixes and other patches
 
+    - Treat message and digest headers and footers as empty if they contain
+      only whitespace.  (LP: #1673307)
+
     - Ensured that added message and digest headers and footers always have
       a terminating new-line.  (LP: #1670033)
 
-- 
cgit v1.2.3


From f2d4b816b39a77c32562dc8a23b1fcd0e61cc869 Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Thu, 30 Mar 2017 12:20:45 -0700
Subject: Fixed unexploitable XSS attach via crafted HTTP Host: header.

---
 NEWS | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'NEWS')

diff --git a/NEWS b/NEWS
index eaa202a1..083f4027 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,12 @@ Here is a history of user visible changes to Mailman.
 
 2.1.24 (xx-xxx-xxxx)
 
+  Security
+
+    - A most likely unexploitable XSS attach that relies on the Mailman web
+      server passing a crafted Host: header to the CGI environment has been
+      fixed.  Apache for one is not vulnerable.  Thanks to Alqnas Eslam.
+
   New Features
 
     - cron/senddigests has a new -e/--exceptlist option to send pending
-- 
cgit v1.2.3