I' released Mailman 2.0.12 which fixes a cross-site scripting vulnerability, among other changes. I recommend that folks upgrade their 2.0.x systems to this new version. See below for a NEWS file excerpt.

As usual, I've made both full source tarballs and patches available. See

http://sourceforge.net/project/showfiles.php?group_id=103

for links to download all the patches and the source tarball. If you decide to install the patches, please do read the release notes first:

http://sourceforge.net/project/shownotes.php?release_id=97760

See also:

http://www.gnu.org/software/mailman
http://www.list.org
http://mailman.sf.net

Cheers, -Barry

-------------------- snip snip -------------------- 2.0.12 (02-Jul-2002)

- Implemented a guard against some reply loops and 'bot
  subscription attacks.  Specifically, if a message to -request
  has a Precedence: bulk (or list, or junk) header, the command is
  ignored.  Well-behaved 'bots should always include such a
  header.

- Changes to the configure script so that you can pass in the mail
  host and web host by setting the environment variables MAILHOST
  and WWWHOST respectively.  configure will also exit if it can't
  figure out these values (usually due to broken dns).

- Closed another minor cross-site scripting vulnerability.