Mailman

File Release Notes and Changelog

Release Name: 2.0.13

Notes: Version 2.0.13 fixes some Python 1.5.2 incompatibilities and some configure script incompatibilities on Solaris and possibly other platforms.

---

Changes: <pre> 2.0.13 (29-Jul-2002) - Fixed some Python 1.5.2 compatibility problems that crept into Mailman 2.0.12. - Fixed some configure script incompatibilities on certain platforms. 2.0.12 (02-Jul-2002) - Implemented a guard against some reply loops and 'bot subscription attacks. Specifically, if a message to -request has a Precedence: bulk (or list, or junk) header, the command is ignored. Well-behaved 'bots should always include such a header. - Changes to the configure script so that you can pass in the mail host and web host by setting the environment variables MAILHOST and WWWHOST respectively. configure will also exit if it can't figure out these values (usually due to broken dns). - Closed another minor cross-site scripting vulnerability. 2.0.11 (20-May-2002) - Closed two cross-site scripting vulnerabilities: one in the admin login page, and one in the HTML archive indices. 2.0.10 (09-Apr-2002) - Closed another small race condition. - Add the RFC-2822 recommended Message-ID: header on internally generated outgoing messages. Not all MTAs add this field if missing (read: Qmail). 2.0.9 (02-Apr-2002) - Closed a race condition which could, under rare circumstances, cause the occasional message to get lost. - HTML escape message excerpts and headers on the admindb page so JavaScript and other evil tags can't mess up the display. - Some additional Python 2.2 compatibility fixes. - Unlink the footer logos so as not to bug the python.org and gnu.org maintainers as much. :( - Fix a crash in the DSN bounce detection module, which could cause some bounce messages to remain in the queue. - Add the RFC-2822 mandated Date: header on internally generated outgoing messages. Not all MTAs add this field if missing (read: Qmail). 2.0.8 (27-Nov-2001) Security fix release to prevent cross-site scripting exploits. See http://www.cert.org/advisories/CA-2000-02.html for a description of the general problem (not Mailman specific). 2.0.7 (09-Nov-2001) Security fixes: - Closed a hole in cookie management whereby some carefully crafted untrusted cookie data could crash Mailman if used with Python 1.5.2, or cause some unintended class constructors to be run on the server. - In the DSN.py bounce handler, a message that was DSN-like, but which was missing a "report-type" parameter could cause a non-deletable bounce message to crash Mailman forever, requiring manual intervention. Bug fixes: - Stray % signs in headers and footers could cause crashes. Now they'll just cause an [INVALID HEADER] or [INVALID FOOTER] string to be added. - The mail->news gateway has been made more robust in the face of duplicate headers, and reserved headers that some news servers reject. If the message is still rejected, it is saved in $prefix/nntp instead of discarded. - Hand-crafted invalid chunk number in membership management display could cause a traceback. 2.0.6 (25-Jul-2001) Security fix: - Fixed a potential security hole which could allow access to list administrative features by unauthorized users. If there is an empty data/adm.pw file (the site password file), then any password will be accepted as the list administrative password. This exploit is caused by a common "bug" in the crypt() function suffered by several Unix distributions, including at least GNU/Linux and Solaris. Given a salt string of length zero, crypt() always returns the empty string. In lieu of applying this patch, sites can run bin/mmsitepass and ensure that data/adm.pw is of length 2 or greater. Bug fixes: - Ensure that even if DEFAULT_URL is misconfigured in mm_cfg.py (i.e. is missing a trailing slash), it is always fixed upon list creation. - Check for administrivia holds before any other tests. - SF bugs fixed: 407666, 227694 - Other miscellaneous buglets fixed. 2.0.5 (04-May-2001) Fix a lock stagnation problem that can result when the user hits the `stop' button on their browser during a write operation that can take a long time (e.g. hitting the membership management admin page). 2.0.4 (18-Apr-2001) Python 2.1 compatibility release. There were a few questionable constructs and uses of deprecated modules that caused annoying warnings when used with Python 2.1. This release quiets those warnings. 2.0.3 (12-Mar-2001) Bug fix release. There was a small typo in 2.0.2 in ListAdmin.py for approving an already subscribed member (thanks Thomas!). Also, an update to the OpenWall security workaround (contrib/securelinux_fix.py) was included. Thanks to Marc Merlin. 2.0.2 (03-Mar-2001) Security fix: - A fix for a potential privacy exploit where a clever list administrator could gain access to user passwords. This doesn't allow them to do much more harm to the user then they normally could, but they still shouldn't have access to the passwords. Bug fixes: - In the admindb page, don't complain when approving a subscription of someone who's already on the list (SF bug #222409 - Thomas Wouters). Also, quote for HTML the Subject: text printed for held messages, otherwise messages with e.g. "Subject: </table>" could royally screw page formatting. - In Netscape.py bounce processor, don't bomb out on ill-formed messages (no semi-colon separating parameters), otherwise mail delivery could grind to a halt. Bug reported by Kambiz Aghaiepour. - Docstring fix bin/newlist to remove mention of "immediate" argument (Thomas Wouters). - Fix for bin/update when PREFIX != VAR_PREFIX (SF bug #229794 -- Thomas Wouters). 2.0.1 (03-Jan-2001) Bug fix release, namely fixes a buglet in bin/withlist affecting the -l and -r flags; also a problem that can cause qrunner to stop processing mail after disk-full events (SourceForge bug 127199). </pre>