I have released Mailman 2.1.3, a bug fix release which also contains
support for four new languages: Ukrainian, Serbian, Euskara (Basque),
and Danish. This release also contains a fix for a cross-site
scripting vulnerability in the 'create' cgi script, as well as
improved performance of the bounce and outgoing queue runners. I
recommend all sites running versions of the 2.1.x line upgrade to the
The full source tarball has been made available from the usual sites
(although the gnu.org sites have not yet been updated). Sorry, there
is no patch available, but you should be able to install 2.1.3 over
your existing 2.1.x installation. See
for links to download all the patches and the source tarballs. After
installing, be sure you restart your Mailman daemon by doing a
http://www.gnu.org/software/mailmanhttp://www.list.org (not yet updated)
-------------------- snip snip --------------------
Performance, Reliability, Security
- Closed a cross-site scripting exploit in the create cgi script.
- Improvements in the performance of the bounce processor.
Now, instead of processing each bounce immediately (which
can cause severe lock contention), bounce events are queued.
Every 15 minutes by default, the queued bounce events are
processed en masse, on a list-per-list basis, so that each
list only needs to be locked once.
- When some or all of a message's recipients have temporary
delivery failures, the message is moved to a "retry" queue.
This queue wakes up occasionally and moves the file back to
the outgoing queue for attempted redelivery. This should
fix most observed OutgoingRunner 100% cpu consumption,
especially for bounces to local recipients when using the
- Optional support for fsync()'ing qfile data after writing.
Under some catastrophic system failures (e.g. power lose),
it would be possible to lose messages because the data
wasn't sync'd to disk. By setting SYNC_AFTER_WRITE to True
in Mailman/Queue/Switchboard.py, you can force Mailman to
fsync() queue files after flushing them. The benefits are
debatable for most operating environments, and you must
ensure that your Python has the os.fsync() function defined
before enabling this feature (it isn't, even on all
Unix-like operating systems).
- New languages Ukrainian, Serbian, Danish, Euskara/Basque.
- Fixes to template lookup. Lists with local overriding
templates would find the wrong template.
- .mo files (for internationalization) are now generated at
build time instead of coming as part of the source
- A first draft of member documentation by Terri Oda. There
is also a Japanese translation of this manual by Ikeda Soji.
Archiver / Pipermail
- In the configuration variables PUBLIC_EXTERNAL_ARCHIVER, and
PRIVATE_EXTERNAL_ARCHIVER, %(hostname)s has been added to
the list of allowable substitution variables.
- The timezone is now taken into account when figuring the
posting date for an article.
Scripts / Cron
- Fixes to cron/disabled for NotAMemberError crashes.
- New script bin/show_qfiles which prints the contents of .pck
message files. New script bin/discard which can be used to
mass discard held messages.
- Fixes to cron/mailpasswds to account for old password-less
- bin/list_members has grown two new options: --invalid/-i
prints only the addresses in the member database that are
invalid (which could have snuck in via old releases);
--unicode/-u prints addresses which are stored as Unicode
objects instead of as normal strings.
- Fixes to problems in some configurations where Python wouldn't
be able to find its standard library.
- Fixes to the digest which could cause MIME-losing missing
newlines when parts are scrubbed via the content filters.
- In the News/Mail gateway admin page, the configuration variable
nntp_host can now be a name:port pair.
- When messages are pulled from NNTP, the member moderation checks
- email 2.5.4 is included. This fixes an RFC 2231 bug, among
- Fixed some extra spaces that could appear in the List-ID header.
- Fixes to ensure that invalid email addresses can't be invited.
- WEB_LINK_COLOR in Defaults.py/mm_cfg.py should now work.
- Fixes so that shunted message file names actually match
those logged in log/errors.
- An improved pending action cookie generation algorithm has
- Fixes to the DSN bounce detector.
- The usual additional u/i, internationalization, unicode, and
other miscellaneous fixes.