File Release Notes and Changelog
Notes:
Mailman 2.1.9rc1 is released. This is a bug fix and security
release, but it should not yet be used in a production
environment. Testing is encouraged and feedback is welcome.
Mailman 2.1.9 final is scheduled for release on 10-Sep-2006.
Changes:
2.1.9 (xx-xxx-xxxx)
Security
- A malicious user could visit a specially crafted URI and inject an
apparent log message into Mailman's error log which might induce an
unsuspecting administrator to visit a phishing site. This has been
blocked. Thanks to Moritz Naumann for its discovery.
- Fixed denial of service attack which can be caused by some
standards-breaking RFC 2231 formatted headers. CVE-2006-2941.
- Several cross-site scripting issues have been fixed. Thanks to Moritz
Naumann for their discovery. CVE-2006-3636
Internationalization
- New languages: Arabic, Vietnamese.
Bug fixes and other patches
- Fixed Decorate.py so that characters in message header/footer which
are not in the character set of the list's language are ignored rather
than causing shunted messages (1507248).
- Switchboard.py - Closed very tiny holes at the upper ends of queue
slices that could result in unprocessable queue entries. Improved FIFO
processing when two queue entries have the same timestamp.
