On behalf of the development team, I'm pleased to announce the release
of GNU Mailman 2.1.8. In this release, we have fixed a cross-site
scripting security bug in the previous release (CVE-2006-1712),
integrated a new version of email library (email-2.5.7), and added
bounce processing supports for number of sites and MUAs. It is highly
recommended that all sites using 2.1.7 and before should update to this
Mailman is free software for managing email mailing lists and e-newsletters.
For more information, see:
For links to download the Mailman 2.1.8 source tarball, see:
(Note that uploading to the mirror sites may be delayed.)
Mailman 2.1.8rc1 was released for the final test of 2.1.8.
Important: This is not only a release candidate but also include a fix
for a cross-site scripting bug found in 2.1.7. All sites running
previous versions are adviced to upgrade to 2.1.8(rc1). I am going to
release the final by the next weekend if nothing serious happens.
Please download it from Sourceforge file area:
Here is a history of user visible changes to Mailman.
- A cross-site scripting hole in the private archive script of 2.1.7
has been closed. Thanks to Moritz Naumann for its discovery.
Bug fixes and other patches
- Bouncers support added: 'unknown user', Microsoft SMTPSVC,
and several others.
- Updated email library to 2.5.7 which will encode payload into
upon setting. This enabled backing out the scrubber related patches
including 'X-Mailman-Scrubbed' header in 2.1.7.
- Fix SpamDetect.py potential hold/reject loop problem.
- A warning message from email package to the stderr can cause error
in Logging because stderr may be detached from the process during
the qrunner run. We chose not to output errors to stderr but to
the logs/error if the process is running under mailmanctl subprocess.
- DKIM header cleansing was separated from Cleanse.py and added to
-owner messages too.
- Fixes: Lose Topics when go directly to topics URL (1194419).
UnicodeError running bin/arch (1395683). edithtml.py missing import
(1400128). Bad escape in cleanarch. Wrong timezone in list archive
index pages (1433673). bin/arch fails with TypeError (1430236).
Subscription fails with some Language combinations (1435722).
Postfix delayed notification not recognized (863989). 2.1.7 (VERP)
mistakes delay notice for bounce (1421285). show_qfiles: 'str'
object has no attribute 'as_string' (1444447). Utils.get_domain()
wrong if VIRTUAL_HOST_OVERVIEW off (1275856).
- Brad Knowles' mailman daily status report script updated to 0.0.16.
Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp