Mailman-Developers October 2021

mailman-developers@python.org

4 participants
3 discussions

Mailman 2.1 security release
by Mark Sapiro 26 Oct '21

26 Oct '21

A couple of vulnerabilities have recently been reported. Thanks to Andre Protas, Richard Cloke and Andy Nuttall of Apple for reporting these and helping with the development of a fix. CVE-2021-42096 could allow a list member to discover the list admin password. CVE-2021-42097 could allow a list member to create a successful CSRF attack against another list member enabling takeover of the members account. These attacks can't be carried out by non-members so may not be of concern for sites with only trusted list members. In any case, I am planning to make a 2.1.35 release and to post a patch for those who don't want to upgrade to address these issues. This is scheduled for Tuesday, October 19. -- Mark Sapiro <mark(a)msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

2 5

Hyperkitty and mailman-hyperkitty releases
by Abhilash Raj 13 Oct '21

13 Oct '21

Hello Everyone, I have just tagged and released Hyperkitty 1.3.5 and mailman-hyperkitty plugin 1.2.0 to PyPI. This release includes some changes in the authentication between mailman-hyperkitty plugin and Hyperkitty. For that reason, it is important to upgrade both Hyperkitty and mailman-hyperkitty plugin to the latest versions, or it could result in a broken installation. This release of Hyperkitty has bugfixes, some new features and some security enhancements. A full list of changes is available at: https://docs.mailman3.org/projects/hyperkitty/en/latest/news.html#news-1-3-5 The release tarball is available at PyPI: https://pypi.org/project/HyperKitty/#files https://pypi.org/project/mailman-hyperkitty/#files You can upgrade your installations by running: pip install mailman-hyperkitty hyperkitty -U After the upgrade, please make sure to run these commands: https://docs.mailman3.org/en/latest/upgrade-3.2.html#post-upgrade Also, make sure to restart Mailman Core after upgrading mailman-hyperkitty plugin. Finally, many thanks to all the people who contributed to this release. -- thanks, Abhilash Raj (maxking)

1 0

FYI: Another attempt at describing From: rewriting
by Alessandro Vesely 06 Oct '21

06 Oct '21

Hi, Douglas Foster posted this draft to the IETF. For discussion, see: https://mailarchive.ietf.org/arch/msg/dmarc/Fp1nnmBc242kxvxM7seVwoQ6ccU Best Ale ---------- Forwarded message --------- From: <internet-drafts(a)ietf.org> Date: Sun, Oct 3, 2021 at 8:14 PM Subject: New Version Notification for draft-fosterd-dmarc-compliant-mailing-lists-00.txt To: Douglas Foster <dougfoster.emailstandards(a)gmail.com> A new version of I-D, draft-fosterd-dmarc-compliant-mailing-lists-00.txt has been successfully submitted by Douglas Foster and posted to the IETF repository. Name: draft-fosterd-dmarc-compliant-mailing-lists Revision: 00 Title: DMARC Compliant Mailing Lists Document date: 2021-10-03 Group: Individual Submission Pages: 10 URL: https://www.ietf.org/archive/id/draft-fosterd-dmarc-compliant-mailing-lists… Status: https://datatracker.ietf.org/doc/draft-fosterd-dmarc-compliant-mailing-list… Html: https://www.ietf.org/archive/id/draft-fosterd-dmarc-compliant-mailing-lists… Htmlized: https://datatracker.ietf.org/doc/html/draft-fosterd-dmarc-compliant-mailing… Abstract: Mailing Lists often make changes to a message before it is retransmitted. This invalidates DKIM signatures, causing a DMARC test on the RFC5322.From addres to fail. A DMARC-compliant mailing list is one which uses member alias addresses to identify the document as sent by a specific author via the mechanism of the list. An appropriate aliasing mechanism will not only prevent DMARC FAIL, but will also allow messages between members, will look natural to senders and recipients, and will allow list organization domains to advance to p=reject. This document describes an aliasing approach which meets these goals. The IETF Secretariat

1 0

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

Mailman-Developers October 2021