Hey Everyone,
I am pleased to announce that Postorius 1.3.6b1 is now out. This is the
first pre-release for 1.3.6, which is slated to release next week soon
after Mailman Core 3.3.5 release.
This release requires Mailman Core 3.3.5 release, so if you are trying
out this release, please also upgrade Mailman Core to 3.3.5rc1 (which
was just released today).
This release includes several new features and bug fixes. A full list of
changes is available here[1].
With this release, we have also improved on the localization of the
interface, if you want to help out before the release of the stable
1.3.6, please see the instructions for translators here[2]. We use
Weblate for translations, so if you are familiar with that, you can
directly head over there[3].
Since this is a pre-release version, you can install this using pip via:
$ pip install --upgrade --pre postorius django-mailman3 mailmanclient
Please also ensure to run the post-install commands as per the upgrade
documentation[4] (commands _after_ pip install, needs a post-install
heading/anchor in there :-).
A release tarball is available on PyPI:
https://pypi.org/project/postorius/1.3.6b1/#files
Finally, thanks to all the folks who helped with this release in any
capacity and made it possible.
[1]:
https://docs.mailman3.org/projects/postorius/en/latest/news.html#news-1-3-6
[2]: https://docs.mailman3.org/en/latest/translation.html
[3]: https://hosted.weblate.org/projects/gnu-mailman/postorius/
[4]: https://docs.mailman3.org/en/latest/upgrade-3.2.html#virtualenv-install
thanks,
Abhilash
Hello Everyone,
I am pleased to announce that Mailman Core 3.3.5b1 is now out. It is a
pre-release for 3.3.5, which is slated to come out in 3 weeks from now.
I am planning for a 2 week beta period, after which I'll release the
first RC and then stable a week after. Right now I am not planning to
release a second beta version, but if there are several changes in Core
in the next week or so, then I might.
This release includes a lot of bug fixes and some new features. It also
includes a security enhancement that improves the authentication of REST
API by adding resistance to some timing channel attacks.
A full list of changes in this version can be found here[1].
[1]:
https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/docs/NEWS.…
We have also made improvements in the i18n workflow and now the email
templates are updated from the translated messages in the .po files that
we get from Weblate. Documentation for translators is available here[2]
if you want to help translate Mailman into your native language.
[2]: https://docs.mailman3.org/en/latest/translation.html
This is a pre-release version, if you want to test it with your setup,
you can install it using:
$ pip install --pre mailman==3.3.5b1
If you want to download a release tarball, you can do so from here:
https://pypi.org/project/mailman/3.3.5b1/#files
This release received a lot of contributions from community, which I am
really happy about! I'd like to thank everyone who made this release
possible!
--
thanks,
Abhilash Raj (maxking)
Hey Everyone,
I tagged and released 0.4.0 version of container images for Mailman. This release includes
several fixes that have been accumulating in the repo for how Mailman is setup in the
containers. This release does not include any mailman component version bump from 0.3.12
release.
More specifically, the major change is that we no longer require static IP configuration in the
container images (like previously) and can handle dynamic addresses that are allocated to
the containers by Docker. This should help simplify the setup for folks using Kubernetes or
other setup than the provided docker-compose files.
The migration steps are documented here[1]. Please checkout the release in Github[2] for
more details on the changes made in this release.
If you are having issues with upgrading your setup to this release, please open an issue on
the issue tracker[3] for help.
[1]: https://asynchronous.in/docker-mailman/news/#upgrading-to-040-release
[2]: https://github.com/maxking/docker-mailman/releases/tag/v0.4.0
[3]: https://github.com/maxking/docker-mailman/issues
--
thanks,
Abhilash Raj (maxking)
Hey Everyone,
This weekend I wrote some documentation[1] that I thought would be
useful for Mailman admins when dealing with Django, since it is a
frequent topic on -users list.
The intent was to add only required information for admins to work with
Mailman installs and provide enough pointers to right places, wherein
more information can be found instead of duplicating them in Mailman's
docs since it it often goes stale.
Since the most common theme of questions are configuration (settings),
management commands and deployment (running), I distributed the whole
page in those three sections.
If you as a system admin had to spend some time figuring out certain
things about Django, it would be good to respond on this thread or just
open a MR with additions to the page[1].
[1]: https://docs.mailman3.org/en/latest/django-primer.html
I also made a small architecture diagram of the various components in a
typical Mailman 3 install[2] since we didn't had any such existing
diagram. Suggestions to this are also welcome.
[2]: https://docs.mailman3.org/en/latest/architecture.html
--
thanks,
Abhilash Raj (maxking)
Hi all. I'm a prospective new contributor [1] presently running
through the onboard process.
Wikipedia transitioned from Freenode to Libera [2] which is run by
Freenode's former operators [3]. I haven't paid further attention to
their breakup drama, but Andrew Lee's post about a "Joseon Empire" on
Freenode's frontpage [4] doesn't fill me with confidence.
Just food for thought but has Mailman considered moving to Libera [5]?
Cheers! -Damian
[1] https://blog.atagar.com/
[2] https://meta.wikimedia.org/wiki/IRC/Migrating_to_Libera_Chat
[3] https://www.kline.sh/
[4] https://freenode.net/
[5] https://libera.chat/
Hey Everyone,
I have just tagged release 0.3.12 on Github for container images for
Mailman 3[1]. This release includes the fix for CVE-2021-40347 that was
announced earlier today. For the folks using 0.3 or 0.3.11 release tags,
it is highly recommended that you upgrade to this release.
This release also bumps the version of Mailman Core to 3.3.4,
Mailmanclient to 3.3.3 and Django-mailman3 to 1.3.7.
Note that is since the main and v0.3.12 branches are different in many
ways, the default documentation[2] and the docker-compose.yaml files in
the main branch aren't accurate if you are using the stable release.
Please refer to the README[3] at v0.3.12 tag in the Github repo for more
accurate docker-compose.yaml and documentation.
The project has grown large enough that we need to start versioning the
documentation, if someone has experience with versioning docs using
Github pages and mkdocs, then I very much need some help here!
For those of you who are using the rolling release, it is recommended
that you **don't** upgrade to this stable release. The fixes have been
pulled into the rolling tags too, so just make sure that you upgrade to
the latest published version of rolling release, which as of this
writing should be based off on fda837f8d15540e190992c30f7971f50fca54dac
commit[4]. This might not be the latest by the time you upgrade if I add
a new commit, so look for versions published after 4:00 PM PST 9/5/2021.
I am also working on cutting a new release, 0.4.0, which is backwards
incompatible with the setup required to talk to web server and MTA
(hence the minor version bump!). That should bring the rolling releases
and stable releases closer to each other and add improvements around not
needing static IPs in the docker network anymore, plus several bug fixes.
If someone wants to test the upgrade to 0.4.0 from 0.3 release and is
willing to try out the instructions at [5], it would give me some
confidence in cutting out the release sooner. The only thing stopping
the release of 0.4.0 images is that I haven't verified if the upgrade
from 0.3 is documented enough or not.
For all the registries listed in README[6], I am still trying to push to
Quay (maybe I need to just skip pushing to Quay :-). So, just use the
other two to pull the images, Github (ghcr.io) has more generous pull
download policy for un-authenticated users though.
[1]: https://github.com/maxking/docker-mailman/releases/tag/v0.3.12
[2]: https://asynchronous.in/docker-mailman/
[3]: https://github.com/maxking/docker-mailman/tree/v0.3.12
[4]:
https://github.com/maxking/docker-mailman/commit/fda837f8d15540e190992c30f7…
[5]: https://asynchronous.in/docker-mailman/news/#upgrading-to-040-release
[6]: https://github.com/maxking/docker-mailman#container-registries
--
thanks,
Abhilash Raj (maxking)
Hey Everyone,
A new vulnerability was reported against Hyperkitty’s git master branch
branch which can expose the archives of a private Mailing List through
the new Feeds API that was added to Hyperkitty recently to someone who
isn't a member or logged-in.
Thanks to Ngo Wei Lin for reporting this vulnerability.
This bug does not affect any stable released version of Hyperkitty and
only affects installations from source (1.3.5b1 version). To
differentiate from the vulnerable version, I have bumped the version in
master branch to 1.3.5b2, so if you have 1.3.5b1 installed, you should
upgrade!
The fix for this bug has been committed to master branch[1][2] less than
an hour ago as of this writing. If you are using git branches to install
Hyperkitty, you can upgrade using the following command:
$ pip install --upgrade
git+https://gitlab.com/mailman/hyperkitty@master
I have also triggered a build for Mailman container images[3] with this
changes, so if you are using the rolling container images (which are the
only affected ones), then you should upgrade to the latest one when the
build[1] finishes (approximately in next 30mins).
Do note that this version of rolling release of mailman-web image also
includes the fix for the vulnerability announced against Postoruis
earlier today.
You can verify that you have the fixed version of Hyperkitty in the
image by running:
$ docker run -it --entrypoint bash maxking/mailman-web:rolling
bash-5.0# pip list | grep HyperKitty
HyperKitty 1.3.5b2
Ensure that you get 1.3.5b2 version.
[1]: https://gitlab.com/mailman/hyperkitty/-/merge_requests/362
[2]:
https://gitlab.com/mailman/hyperkitty/-/commit/ed086015acbf66ba377e2af7f6e7…
[3]: https://github.com/maxking/docker-mailman/runs/3519658592
--
thanks,
Abhilash Raj (maxking)
Everyone,
A security vulnerability was reported against Postorius recently which
allows any logged-in user to unsubscribe any other member on any other
list on same Mailman installation using a specially crafted POST request
due to a missing ownership check. This has been assigned CVE-2021-40347.
This affects all past versions of Postorius including 1.0.0.
Thanks to Kunal Mehta for the security report and a quick patch to fix
the vulnerability.
I am also attaching a minimal patch that fixes it along with this email,
without tests and NEWS so that it applies to older versions of Postorius
easily (I have tested the included patch with 1.3.3, 1.3.2 git tags).
Upgrading to 1.3.5 release is highly recommended and it mostly includes
the fix for this vulnerability (and a small compatibility fix for
django-mailman3 1.3.6) so it shouldn’t introduce any other bugs.
You can upgrade to this release by running:
$ pip install postorius==1.3.5
A full change log is available here[1] as usual and can be downloaded
from PyPI[2].
[1]:
https://docs.mailman3.org/projects/postorius/en/latest/news.html#news-1-3-5
[2]: https://pypi.org/project/postorius/1.3.5/
Since there aren't many changes, this release requires 3.5+ like 1.3.4.
Although, note that the next release will drop support for 3.5 and will
support 3.6 only.
For those of you who use container images, I am working on 0.3.12 of
container images right now, so look out for that announcement. For those
of you using the rolling releases, you can already upgrade to the latest
version of the rolling release as it has the fix.
--
thanks,
Abhilash Raj (maxking)
