I have released Mailman 2.1.3, a bug fix release which also contains support for four new languages: Ukrainian, Serbian, Euskara (Basque), and Danish. This release also contains a fix for a cross-site scripting vulnerability in the 'create' cgi script, as well as improved performance of the bounce and outgoing queue runners. I recommend all sites running versions of the 2.1.x line upgrade to the new version.
The full source tarball has been made available from the usual sites (although the gnu.org sites have not yet been updated). Sorry, there is no patch available, but you should be able to install 2.1.3 over your existing 2.1.x installation. See
for links to download all the patches and the source tarballs. After installing, be sure you restart your Mailman daemon by doing a "mailmanctl restart".
http://www.gnu.org/software/mailman http://www.list.org (not yet updated) http://mailman.sf.net
-------------------- snip snip -------------------- 2.1.3 (28-Sep-2003)
Performance, Reliability, Security - Closed a cross-site scripting exploit in the create cgi script. - Improvements in the performance of the bounce processor. Now, instead of processing each bounce immediately (which can cause severe lock contention), bounce events are queued. Every 15 minutes by default, the queued bounce events are processed en masse, on a list-per-list basis, so that each list only needs to be locked once. - When some or all of a message's recipients have temporary delivery failures, the message is moved to a "retry" queue. This queue wakes up occasionally and moves the file back to the outgoing queue for attempted redelivery. This should fix most observed OutgoingRunner 100% cpu consumption, especially for bounces to local recipients when using the Postfix MTA. - Optional support for fsync()'ing qfile data after writing. Under some catastrophic system failures (e.g. power lose), it would be possible to lose messages because the data wasn't sync'd to disk. By setting SYNC_AFTER_WRITE to True in Mailman/Queue/Switchboard.py, you can force Mailman to fsync() queue files after flushing them. The benefits are debatable for most operating environments, and you must ensure that your Python has the os.fsync() function defined before enabling this feature (it isn't, even on all Unix-like operating systems). Internationalization - New languages Ukrainian, Serbian, Danish, Euskara/Basque. - Fixes to template lookup. Lists with local overriding templates would find the wrong template. - .mo files (for internationalization) are now generated at build time instead of coming as part of the source distribution. Documentation - A first draft of member documentation by Terri Oda. There is also a Japanese translation of this manual by Ikeda Soji. Archiver / Pipermail - In the configuration variables PUBLIC_EXTERNAL_ARCHIVER, and PRIVATE_EXTERNAL_ARCHIVER, %(hostname)s has been added to the list of allowable substitution variables. - The timezone is now taken into account when figuring the posting date for an article. Scripts / Cron - Fixes to cron/disabled for NotAMemberError crashes. - New script bin/show_qfiles which prints the contents of .pck message files. New script bin/discard which can be used to mass discard held messages. - Fixes to cron/mailpasswds to account for old password-less subscriptions. - bin/list_members has grown two new options: --invalid/-i prints only the addresses in the member database that are invalid (which could have snuck in via old releases); --unicode/-u prints addresses which are stored as Unicode objects instead of as normal strings. Miscellaneous - Fixes to problems in some configurations where Python wouldn't be able to find its standard library. - Fixes to the digest which could cause MIME-losing missing newlines when parts are scrubbed via the content filters. - In the News/Mail gateway admin page, the configuration variable nntp_host can now be a name:port pair. - When messages are pulled from NNTP, the member moderation checks are short-circuited. - email 2.5.4 is included. This fixes an RFC 2231 bug, among possibly others. - Fixed some extra spaces that could appear in the List-ID header. - Fixes to ensure that invalid email addresses can't be invited. - WEB_LINK_COLOR in Defaults.py/mm_cfg.py should now work. - Fixes so that shunted message file names actually match those logged in log/errors. - An improved pending action cookie generation algorithm has been added. - Fixes to the DSN bounce detector. - The usual additional u/i, internationalization, unicode, and other miscellaneous fixes.