I' released Mailman 2.0.12 which fixes a cross-site scripting vulnerability, among other changes. I recommend that folks upgrade their 2.0.x systems to this new version. See below for a NEWS file excerpt.
As usual, I've made both full source tarballs and patches available. See
for links to download all the patches and the source tarball. If you decide to install the patches, please do read the release notes first:
http://www.gnu.org/software/mailman http://www.list.org http://mailman.sf.net
-------------------- snip snip -------------------- 2.0.12 (02-Jul-2002)
- Implemented a guard against some reply loops and 'bot subscription attacks. Specifically, if a message to -request has a Precedence: bulk (or list, or junk) header, the command is ignored. Well-behaved 'bots should always include such a header. - Changes to the configure script so that you can pass in the mail host and web host by setting the environment variables MAILHOST and WWWHOST respectively. configure will also exit if it can't figure out these values (usually due to broken dns). - Closed another minor cross-site scripting vulnerability.