I'm sorry folks. As some of you are aware, a small but nasty typo
snuck its way into the Mailman 2.0.2 release, necessitating a bug fix
patch. Thus I've just uploaded Mailman 2.0.3 to SourceForge. I
highly recommend that you upgrade to this version.
As usual I'm releasing this as both a complete tarball and as a patch
against Mailman 2.0.2. You /must/ update your source to 2.0.2 before
applying the 2.0.3 patch. Since the patch is small, I'm including it
in this message. To apply, cd into your 2.0.2 source tree and apply
it like so:
% patch -p0 < mailman-2.0.2-2.0.3.diff
Currently both http://mailman.sourceforge.net and http://www.list.org
are updated, and I expect the gnu.org site to be updated soon as
well. The release information on SF is at
http://sourceforge.net/project/shownotes.php?release_id=27001
-Barry
P.S. It was nice to meet so many Mailman fans at IPC9! It was also
quite cool to finally meet Thomas Wouters. Don't worry Thomas, I
won't hold this one against ya. :)
[From the NEWS file]
2.0.3 (12-Mar-2001)
Bug fix release. There was a small typo in 2.0.2 in ListAdmin.py
for approving an already subscribed member (thanks Thomas!).
Also, an update to the OpenWall security workaround
(contrib/securelinux_fix.py) was included. Thanks to Marc Merlin.
Index: NEWS
===================================================================
RCS file: /cvsroot/mailman/mailman/NEWS,v
retrieving revision 1.25.2.2
retrieving revision 1.25.2.4
diff -u -r1.25.2.2 -r1.25.2.4
--- NEWS 2001/03/03 06:51:26 1.25.2.2
+++ NEWS 2001/03/12 19:32:10 1.25.2.4
@@ -1,8 +1,15 @@
Mailman - The GNU Mailing List Management System
-Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc.
+Copyright (C) 1998,1999,2000,2001 by the Free Software Foundation, Inc.
59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
Here is a history of user visible changes to Mailman.
+
+2.0.3 (12-Mar-2001)
+
+ Bug fix release. There was a small typo in 2.0.2 in ListAdmin.py
+ for approving an already subscribed member (thanks Thomas!).
+ Also, an update to the OpenWall security workaround
+ (contrib/securelinux_fix.py) was included. Thanks to Marc Merlin.
2.0.2 (03-Mar-2001)
Index: README.LINUX
===================================================================
RCS file: /cvsroot/mailman/mailman/README.LINUX,v
retrieving revision 1.6
retrieving revision 1.6.2.1
diff -u -r1.6 -r1.6.2.1
--- README.LINUX 2000/09/19 17:25:23 1.6
+++ README.LINUX 2001/03/12 19:21:50 1.6.2.1
@@ -1,5 +1,5 @@
Mailman - The GNU Mailing List Management System
-Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc.
+Copyright (C) 1998,1999,2000,2001 by the Free Software Foundation, Inc.
59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
GNU/LINUX ISSUES
@@ -14,6 +14,11 @@
can cause "Operation not permitted" errors in MailList.Save() -- you
will see a traceback. You must turn restricted hardlinks off. This
is also known under the name of Openwall Security Patches.
+
+There is a workaround for this problem, you can use securelinux_fix.py
+in the contrib directory (see the README.securelinux_fix.py). Note
+that the script will not work until you move it in your installed
+Mailman tree in the bin directory.
Index: Mailman/ListAdmin.py
===================================================================
RCS file: /cvsroot/mailman/mailman/Mailman/ListAdmin.py,v
retrieving revision 1.47.2.1
retrieving revision 1.47.2.4
diff -u -r1.47.2.1 -r1.47.2.4
--- Mailman/ListAdmin.py 2001/03/02 23:32:15 1.47.2.1
+++ Mailman/ListAdmin.py 2001/03/07 23:26:49 1.47.2.4
@@ -1,4 +1,4 @@
-# Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc.
+# Copyright (C) 1998,1999,2000,2001 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -327,8 +327,8 @@
# subscribe
assert value == mm_cfg.SUBSCRIBE
try:
- self.ApprovedAddMember(addr, password, digest, lang)
- except Errors.MMAlreadyMember:
+ self.ApprovedAddMember(addr, password, digest)
+ except Errors.MMAlreadyAMember:
# User has already been subscribed, after sending the request
pass
# TBD: disgusting hack: ApprovedAddMember() can end up closing
Index: Mailman/Version.py
===================================================================
RCS file: /cvsroot/mailman/mailman/Mailman/Version.py,v
retrieving revision 1.20.2.2
retrieving revision 1.20.2.3
diff -u -r1.20.2.2 -r1.20.2.3
--- Mailman/Version.py 2001/03/03 06:19:15 1.20.2.2
+++ Mailman/Version.py 2001/03/07 23:25:41 1.20.2.3
@@ -15,7 +15,7 @@
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# Mailman version
-VERSION = "2.0.2"
+VERSION = "2.0.3"
# And as a hex number in the manner of PY_VERSION_HEX
ALPHA = 0xa
@@ -27,7 +27,7 @@
MAJOR_REV = 2
MINOR_REV = 0
-MICRO_REV = 2
+MICRO_REV = 3
REL_LEVEL = FINAL
# at most 15 beta releases!
REL_SERIAL = 0
Index: admin/www/download.ht
===================================================================
RCS file: /cvsroot/mailman/mailman/admin/www/download.ht,v
retrieving revision 1.5.2.2
retrieving revision 1.5.2.4
diff -u -r1.5.2.2 -r1.5.2.4
--- admin/www/download.ht 2001/03/03 06:18:47 1.5.2.2
+++ admin/www/download.ht 2001/03/12 19:33:49 1.5.2.4
@@ -65,9 +65,9 @@
<h3>Downloading</h3>
<p>Version
-(<!-VERSION--->2.0.2<!-VERSION--->,
+(<!-VERSION--->2.0.3<!-VERSION--->,
released on
-<!-DATE--->Mar 3 2001<!-DATE--->)
+<!-DATE--->Mar 12 2001<!-DATE--->)
is the current GNU release. It is available from the following mirror sites:
<ul>
Index: admin/www/download.html
===================================================================
RCS file: /cvsroot/mailman/mailman/admin/www/download.html,v
retrieving revision 1.6.2.4
retrieving revision 1.6.2.6
diff -u -r1.6.2.4 -r1.6.2.6
--- admin/www/download.html 2001/03/03 06:18:47 1.6.2.4
+++ admin/www/download.html 2001/03/12 19:33:49 1.6.2.6
@@ -1,6 +1,6 @@
<HTML>
<!-- THIS PAGE IS AUTOMATICALLY GENERATED. DO NOT EDIT. -->
-<!-- Sat Mar 3 01:06:34 2001 -->
+<!-- Mon Mar 12 14:32:38 2001 -->
<!-- USING HT2HTML 1.1 -->
<!-- SEE http://www.wooz.org/barry/software/pyware.html -->
<!-- User-specified headers:
@@ -237,9 +237,9 @@
<h3>Downloading</h3>
<p>Version
-(<!-VERSION--->2.0.2<!-VERSION--->,
+(<!-VERSION--->2.0.3<!-VERSION--->,
released on
-<!-DATE--->Mar 3 2001<!-DATE--->)
+<!-DATE--->Mar 12 2001<!-DATE--->)
is the current GNU release. It is available from the following mirror sites:
<ul>
Index: contrib/README.securelinux_fix
===================================================================
RCS file: README.securelinux_fix
diff -N README.securelinux_fix
--- /dev/null Mon Dec 11 17:26:27 2000
+++ contrib/README.securelinux_fix Mon Mar 12 11:49:35 2001
@@ -0,0 +1,12 @@
+The securelinux_fix.py script, if copied in your installed
+~mailman/bin/ directory and run from there will modify permissions of
+files so that Mailman works despite the securelinux (aka openwall)
+symbolic and hard link restrictions.
+
+The way it works is that it makes sure that the UID of any script that
+touches config.db is `mailman'. What this means however is that
+scripts in ~mailman/bin will now only work if run as user mailman or
+root (the script then changes its UID and GID to mailman).
+
+Enjoy
+Marc MERLIN <marcsoft(a)merlins.org>/<marc_bts(a)valinux.com>
Index: contrib/securelinux_fix.py
===================================================================
RCS file: /cvsroot/mailman/mailman/contrib/securelinux_fix.py,v
retrieving revision 1.2
retrieving revision 1.2.2.1
diff -u -r1.2 -r1.2.2.1
--- contrib/securelinux_fix.py 2000/11/09 02:07:01 1.2
+++ contrib/securelinux_fix.py 2001/03/12 19:25:04 1.2.2.1
@@ -1,6 +1,6 @@
#! /usr/bin/env python
#
-# Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc.
+# Copyright (C) 1998,1999,2000,2001 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -25,12 +25,12 @@
Mailman. The idea is that config.db files have to be owned by the mailman UID
and only touched by programs that are UID mailman.
-If you have to run check_perms -f, make sure to also run %(PROGRAM) -f, which
-applies the necessary permission fixes
+If you have to run check_perms -f, make sure to also run securelinux_fix.py
+-f, which applies the necessary permission fixes.
-As a result, to prevent anyone from running priviledged Mailman commands
-\(since the scripts are suid), binary commands that are changed to be SUID are
-also unreadable and unrunable by people who aren't in the mailman group. This
+As a result, to prevent anyone from running privileged Mailman commands (since
+the scripts are suid), binary commands that are changed to be SUID are also
+unreadable and unrunnable by people who aren't in the mailman group. This
shouldn't affect much since most of those commands would fail work if you
weren't part of the mailman group anyway.
@@ -45,8 +45,6 @@
from Mailman import mm_cfg
from Mailman.mm_cfg import MAILMAN_UID, MAILMAN_GID
from stat import *
-
-PROGRAM = sys.argv[0]
# Those are the programs that we patch so that they insist being run under the
# mailman uid or as root.
I've just uploaded the Mailman 2.0.2 release to SourceForge. This is
a bug fix release that also fixes a potential privacy hole, which
could allow a list administrator to get access to user passwords.
Even with those passwords, I believe there's little additional harm
that a list admin could do, but still they probably shouldn't have
access to those passwords.
There are a few other important fixes in this release, so I recommend
that all sites running Mailman 2.0 or 2.0.1 should upgrade.
As usual I'm releasing this as both a complete tarball and as a patch
against Mailman 2.0.1. If you grab the patchfile, you'll want to cd
into your 2.0 source, and apply it like so:
% patch -p1 < mailman-2.0.1-2.0.2.diff
Currently only http://mailman.sourceforge.net is updated, but the
list.org and gnu.org sites should be updated soon. The release
information on SF is at
http://sourceforge.net/project/shownotes.php?release_id=25955
My thanks to Thomas Wouters for his help!
Enjoy,
-Barry
P.S. I'm not sure if I'll have time to release a 2.1 alpha of the I18N
stuff before I leave for the Python9 conference. If we get the
expected foot of snow between Sunday and Monday, it's a
possibility. ;)
[From the NEWS file]
2.0.2 (03-Mar-2001)
Security fix:
- A fix for a potential privacy exploit where a clever list
administrator could gain access to user passwords. This doesn't
allow them to do much more harm to the user then they normally
could, but they still shouldn't have access to the passwords.
Bug fixes:
- In the admindb page, don't complain when approving a
subscription of someone who's already on the list (SF bug
#222409 - Thomas Wouters).
Also, quote for HTML the Subject: text printed for held
messages, otherwise messages with e.g. "Subject: </table>" could
royally screw page formatting.
- In Netscape.py bounce processor, don't bomb out on ill-formed
messages (no semi-colon separating parameters), otherwise mail
delivery could grind to a halt. Bug reported by Kambiz
Aghaiepour.
- Docstring fix bin/newlist to remove mention of "immediate"
argument (Thomas Wouters).
- Fix for bin/update when PREFIX != VAR_PREFIX (SF bug #229794 --
Thomas Wouters).
