diff --git a/mail/mailman/Makefile b/mail/mailman/Makefile
index 2026170e8af..33d38c9d838 100644
--- a/mail/mailman/Makefile
+++ b/mail/mailman/Makefile
@@ -1,9 +1,9 @@
-# $OpenBSD: Makefile,v 1.65 2011/01/05 16:05:54 ajacoutot Exp $
+# $OpenBSD: Makefile,v 1.66 2011/03/03 09:50:11 jasper Exp $
 
 COMMENT=	mailing list manager with web interface
 
 DISTNAME=	mailman-2.1.14
-REVISION=	8
+REVISION=	9
 CATEGORIES=	mail www
 
 HOMEPAGE=	http://www.gnu.org/software/mailman/
diff --git a/mail/mailman/patches/patch-Mailman_Cgi_confirm_py b/mail/mailman/patches/patch-Mailman_Cgi_confirm_py
new file mode 100644
index 00000000000..1b1caf7e4f1
--- /dev/null
+++ b/mail/mailman/patches/patch-Mailman_Cgi_confirm_py
@@ -0,0 +1,37 @@
+$OpenBSD: patch-Mailman_Cgi_confirm_py,v 1.1 2011/03/03 09:50:11 jasper Exp $
+
+Security fix for CVE-2011-0707.
+Mailman "Full Name" Script Insertion Vulnerabilities.
+
+Patch from upstream announcement:
+http://mail.python.org/pipermail/mailman-announce/2011-February/000158.html
+
+--- Mailman/Cgi/confirm.py.orig	Mon Sep 20 20:18:27 2010
++++ Mailman/Cgi/confirm.py	Thu Mar  3 10:47:51 2011
+@@ -471,7 +471,7 @@ def unsubscription_prompt(mlist, doc, cookie, addr):
+     if fullname is None:
+         fullname = _('<em>Not available</em>')
+     else:
+-        fullname = Utils.uncanonstr(fullname, lang)
++        fullname = Utils.websafe(Utils.uncanonstr(fullname, lang))
+     table.AddRow([_("""Your confirmation is required in order to complete the
+     unsubscription request from the mailing list <em>%(listname)s</em>.  You
+     are currently subscribed with
+@@ -573,7 +573,7 @@ def addrchange_prompt(mlist, doc, cookie, oldaddr, new
+     if fullname is None:
+         fullname = _('<em>Not available</em>')
+     else:
+-        fullname = Utils.uncanonstr(fullname, lang)
++        fullname = Utils.websafe(Utils.uncanonstr(fullname, lang))
+     if globally:
+         globallys = _('globally')
+     else:
+@@ -814,7 +814,7 @@ def reenable_prompt(mlist, doc, cookie, list, member):
+     if username is None:
+         username = _('<em>not available</em>')
+     else:
+-        username = Utils.uncanonstr(username, lang)
++        username = Utils.websafe(Utils.uncanonstr(username, lang))
+ 
+     table.AddRow([_("""Your membership in the %(realname)s mailing list is
+     currently disabled due to excessive bounces.  Your confirmation is