- 1 participants
- 2 discussions
ANNOUNCE Mailman 2.0.3
by barry＠digicool.com 13 Mar '01
by barry＠digicool.com 13 Mar '01
13 Mar '01
I'm sorry folks. As some of you are aware, a small but nasty typo snuck its way into the Mailman 2.0.2 release, necessitating a bug fix patch. Thus I've just uploaded Mailman 2.0.3 to SourceForge. I highly recommend that you upgrade to this version. As usual I'm releasing this as both a complete tarball and as a patch against Mailman 2.0.2. You /must/ update your source to 2.0.2 before applying the 2.0.3 patch. Since the patch is small, I'm including it in this message. To apply, cd into your 2.0.2 source tree and apply it like so: % patch -p0 < mailman-2.0.2-2.0.3.diff Currently both http://mailman.sourceforge.net and http://www.list.org are updated, and I expect the gnu.org site to be updated soon as well. The release information on SF is at http://sourceforge.net/project/shownotes.php?release_id=27001 -Barry P.S. It was nice to meet so many Mailman fans at IPC9! It was also quite cool to finally meet Thomas Wouters. Don't worry Thomas, I won't hold this one against ya. :) [From the NEWS file] 2.0.3 (12-Mar-2001) Bug fix release. There was a small typo in 2.0.2 in ListAdmin.py for approving an already subscribed member (thanks Thomas!). Also, an update to the OpenWall security workaround (contrib/securelinux_fix.py) was included. Thanks to Marc Merlin. Index: NEWS =================================================================== RCS file: /cvsroot/mailman/mailman/NEWS,v retrieving revision 188.8.131.52 retrieving revision 184.108.40.206 diff -u -r220.127.116.11 -r18.104.22.168 --- NEWS 2001/03/03 06:51:26 22.214.171.124 +++ NEWS 2001/03/12 19:32:10 126.96.36.199 @@ -1,8 +1,15 @@ Mailman - The GNU Mailing List Management System -Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc. +Copyright (C) 1998,1999,2000,2001 by the Free Software Foundation, Inc. 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA Here is a history of user visible changes to Mailman. + +2.0.3 (12-Mar-2001) + + Bug fix release. There was a small typo in 2.0.2 in ListAdmin.py + for approving an already subscribed member (thanks Thomas!). + Also, an update to the OpenWall security workaround + (contrib/securelinux_fix.py) was included. Thanks to Marc Merlin. 2.0.2 (03-Mar-2001) Index: README.LINUX =================================================================== RCS file: /cvsroot/mailman/mailman/README.LINUX,v retrieving revision 1.6 retrieving revision 188.8.131.52 diff -u -r1.6 -r184.108.40.206 --- README.LINUX 2000/09/19 17:25:23 1.6 +++ README.LINUX 2001/03/12 19:21:50 220.127.116.11 @@ -1,5 +1,5 @@ Mailman - The GNU Mailing List Management System -Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc. +Copyright (C) 1998,1999,2000,2001 by the Free Software Foundation, Inc. 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA GNU/LINUX ISSUES @@ -14,6 +14,11 @@ can cause "Operation not permitted" errors in MailList.Save() -- you will see a traceback. You must turn restricted hardlinks off. This is also known under the name of Openwall Security Patches. + +There is a workaround for this problem, you can use securelinux_fix.py +in the contrib directory (see the README.securelinux_fix.py). Note +that the script will not work until you move it in your installed +Mailman tree in the bin directory. Index: Mailman/ListAdmin.py =================================================================== RCS file: /cvsroot/mailman/mailman/Mailman/ListAdmin.py,v retrieving revision 18.104.22.168 retrieving revision 22.214.171.124 diff -u -r126.96.36.199 -r188.8.131.52 --- Mailman/ListAdmin.py 2001/03/02 23:32:15 184.108.40.206 +++ Mailman/ListAdmin.py 2001/03/07 23:26:49 220.127.116.11 @@ -1,4 +1,4 @@ -# Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc. +# Copyright (C) 1998,1999,2000,2001 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -327,8 +327,8 @@ # subscribe assert value == mm_cfg.SUBSCRIBE try: - self.ApprovedAddMember(addr, password, digest, lang) - except Errors.MMAlreadyMember: + self.ApprovedAddMember(addr, password, digest) + except Errors.MMAlreadyAMember: # User has already been subscribed, after sending the request pass # TBD: disgusting hack: ApprovedAddMember() can end up closing Index: Mailman/Version.py =================================================================== RCS file: /cvsroot/mailman/mailman/Mailman/Version.py,v retrieving revision 18.104.22.168 retrieving revision 22.214.171.124 diff -u -r126.96.36.199 -r188.8.131.52 --- Mailman/Version.py 2001/03/03 06:19:15 184.108.40.206 +++ Mailman/Version.py 2001/03/07 23:25:41 220.127.116.11 @@ -15,7 +15,7 @@ # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # Mailman version -VERSION = "2.0.2" +VERSION = "2.0.3" # And as a hex number in the manner of PY_VERSION_HEX ALPHA = 0xa @@ -27,7 +27,7 @@ MAJOR_REV = 2 MINOR_REV = 0 -MICRO_REV = 2 +MICRO_REV = 3 REL_LEVEL = FINAL # at most 15 beta releases! REL_SERIAL = 0 Index: admin/www/download.ht =================================================================== RCS file: /cvsroot/mailman/mailman/admin/www/download.ht,v retrieving revision 18.104.22.168 retrieving revision 22.214.171.124 diff -u -r126.96.36.199 -r188.8.131.52 --- admin/www/download.ht 2001/03/03 06:18:47 184.108.40.206 +++ admin/www/download.ht 2001/03/12 19:33:49 220.127.116.11 @@ -65,9 +65,9 @@ <h3>Downloading</h3> <p>Version -(<!-VERSION--->2.0.2<!-VERSION--->, +(<!-VERSION--->2.0.3<!-VERSION--->, released on -<!-DATE--->Mar 3 2001<!-DATE--->) +<!-DATE--->Mar 12 2001<!-DATE--->) is the current GNU release. It is available from the following mirror sites: <ul> Index: admin/www/download.html =================================================================== RCS file: /cvsroot/mailman/mailman/admin/www/download.html,v retrieving revision 18.104.22.168 retrieving revision 22.214.171.124 diff -u -r126.96.36.199 -r188.8.131.52 --- admin/www/download.html 2001/03/03 06:18:47 184.108.40.206 +++ admin/www/download.html 2001/03/12 19:33:49 220.127.116.11 @@ -1,6 +1,6 @@ <HTML> <!-- THIS PAGE IS AUTOMATICALLY GENERATED. DO NOT EDIT. --> -<!-- Sat Mar 3 01:06:34 2001 --> +<!-- Mon Mar 12 14:32:38 2001 --> <!-- USING HT2HTML 1.1 --> <!-- SEE http://www.wooz.org/barry/software/pyware.html --> <!-- User-specified headers: @@ -237,9 +237,9 @@ <h3>Downloading</h3> <p>Version -(<!-VERSION--->2.0.2<!-VERSION--->, +(<!-VERSION--->2.0.3<!-VERSION--->, released on -<!-DATE--->Mar 3 2001<!-DATE--->) +<!-DATE--->Mar 12 2001<!-DATE--->) is the current GNU release. It is available from the following mirror sites: <ul> Index: contrib/README.securelinux_fix =================================================================== RCS file: README.securelinux_fix diff -N README.securelinux_fix --- /dev/null Mon Dec 11 17:26:27 2000 +++ contrib/README.securelinux_fix Mon Mar 12 11:49:35 2001 @@ -0,0 +1,12 @@ +The securelinux_fix.py script, if copied in your installed +~mailman/bin/ directory and run from there will modify permissions of +files so that Mailman works despite the securelinux (aka openwall) +symbolic and hard link restrictions. + +The way it works is that it makes sure that the UID of any script that +touches config.db is `mailman'. What this means however is that +scripts in ~mailman/bin will now only work if run as user mailman or +root (the script then changes its UID and GID to mailman). + +Enjoy +Marc MERLIN <marcsoft(a)merlins.org>/<marc_bts(a)valinux.com> Index: contrib/securelinux_fix.py =================================================================== RCS file: /cvsroot/mailman/mailman/contrib/securelinux_fix.py,v retrieving revision 1.2 retrieving revision 18.104.22.168 diff -u -r1.2 -r22.214.171.124 --- contrib/securelinux_fix.py 2000/11/09 02:07:01 1.2 +++ contrib/securelinux_fix.py 2001/03/12 19:25:04 126.96.36.199 @@ -1,6 +1,6 @@ #! /usr/bin/env python # -# Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc. +# Copyright (C) 1998,1999,2000,2001 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -25,12 +25,12 @@ Mailman. The idea is that config.db files have to be owned by the mailman UID and only touched by programs that are UID mailman. -If you have to run check_perms -f, make sure to also run %(PROGRAM) -f, which -applies the necessary permission fixes +If you have to run check_perms -f, make sure to also run securelinux_fix.py +-f, which applies the necessary permission fixes. -As a result, to prevent anyone from running priviledged Mailman commands -\(since the scripts are suid), binary commands that are changed to be SUID are -also unreadable and unrunable by people who aren't in the mailman group. This +As a result, to prevent anyone from running privileged Mailman commands (since +the scripts are suid), binary commands that are changed to be SUID are also +unreadable and unrunnable by people who aren't in the mailman group. This shouldn't affect much since most of those commands would fail work if you weren't part of the mailman group anyway. @@ -45,8 +45,6 @@ from Mailman import mm_cfg from Mailman.mm_cfg import MAILMAN_UID, MAILMAN_GID from stat import * - -PROGRAM = sys.argv # Those are the programs that we patch so that they insist being run under the # mailman uid or as root.
ANNOUNCE Mailman 2.0.2 (important privacy patch)
by barry＠digicool.com 03 Mar '01
by barry＠digicool.com 03 Mar '01
03 Mar '01
I've just uploaded the Mailman 2.0.2 release to SourceForge. This is a bug fix release that also fixes a potential privacy hole, which could allow a list administrator to get access to user passwords. Even with those passwords, I believe there's little additional harm that a list admin could do, but still they probably shouldn't have access to those passwords. There are a few other important fixes in this release, so I recommend that all sites running Mailman 2.0 or 2.0.1 should upgrade. As usual I'm releasing this as both a complete tarball and as a patch against Mailman 2.0.1. If you grab the patchfile, you'll want to cd into your 2.0 source, and apply it like so: % patch -p1 < mailman-2.0.1-2.0.2.diff Currently only http://mailman.sourceforge.net is updated, but the list.org and gnu.org sites should be updated soon. The release information on SF is at http://sourceforge.net/project/shownotes.php?release_id=25955 My thanks to Thomas Wouters for his help! Enjoy, -Barry P.S. I'm not sure if I'll have time to release a 2.1 alpha of the I18N stuff before I leave for the Python9 conference. If we get the expected foot of snow between Sunday and Monday, it's a possibility. ;) [From the NEWS file] 2.0.2 (03-Mar-2001) Security fix: - A fix for a potential privacy exploit where a clever list administrator could gain access to user passwords. This doesn't allow them to do much more harm to the user then they normally could, but they still shouldn't have access to the passwords. Bug fixes: - In the admindb page, don't complain when approving a subscription of someone who's already on the list (SF bug #222409 - Thomas Wouters). Also, quote for HTML the Subject: text printed for held messages, otherwise messages with e.g. "Subject: </table>" could royally screw page formatting. - In Netscape.py bounce processor, don't bomb out on ill-formed messages (no semi-colon separating parameters), otherwise mail delivery could grind to a halt. Bug reported by Kambiz Aghaiepour. - Docstring fix bin/newlist to remove mention of "immediate" argument (Thomas Wouters). - Fix for bin/update when PREFIX != VAR_PREFIX (SF bug #229794 -- Thomas Wouters).