2.1.27 (22-Jun-2018) Security - Existing protections against malicious listowners injecting evil scripts into listinfo pages have had a few more checks added. JVN#00846677/JPCERT#97432283 - A few more error messages have had their values HTML escaped. JVN#00846677/JPCERT#97432283 - The hash generated when SUBSCRIBE_FORM_SECRET is set could have been the same as one generated at the same time for a different list and IP address. While this is not thought to be exploitable in any way, the generation has been changed to avoid this. Thanks to Ralf Jung. New Features - An option has been added to bin/add_members to issue invitations instead of immediately adding members. (LP: #1773064) - A new BLOCK_SPAMHAUS_LISTED_IP_SUBSCRIBE setting has been added to enable blocking web subscribes from IPv4 addresses listed in Spamhaus SBL, CSS or XBL. It will work with IPv6 addresses if Python's py2-ipaddress module is installed. The module can be installed via pip if not included in your Python. - Thanks to Jim Popovitch, Mailman has a new 'security' log and logs authentication failures to the various web CGI functions. The logged data include the remote IP and can be used to automate blocking of IPs with something like fail2ban. Since Mailman 2.1.14, these have returned an http 401 status and the information should be logged by the web server, but this new log makes that more convenient. Also, the 'mischief' log entries for 'hostile listname' noe include the remote IP if available. - Thanks to Jim Popovitch, admin notices of (un)subscribes now may give the source of the action. This consists of a %(whence)s replacement that has been added to the admin(un)subscribeack.txt templates. Thanks to Yasuhito FUTATSUKI for updating the non-English templates and help with internationalizing the reasons. - Thanks to Jim Popovitch, there is a new BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE setting to enable blocking web subscribes for addresses in domains listed in the Spamhaus DBL. i18n - The Japanese translation has been updated by Yasuhito FUTATSUKI. - The Russian translation has been updated by Danil Smirnov. - A partial Esperanto translation has been added. Thanks to Rub�n Fern�ndez Asensio. - Fixed a '# -*- coding:' line in the Russian message catalog that was mistakenly translated to Russian. (LP: #1777342) Bug fixes and other patches - Some messages from bin/arch were not issued in the charset of the system locale when DISABLE_COMMAND_LOCALE_CSET is No. Thanks to Yasuhito FUTATSUKI this is now fixed. (LP: #1768892) - The message displayed in the browser when accessing a Mailman CGI when mm_cfg.py can't be imported due to some exception other than ImportError has been improved. (LP: #1760506) - The reimplementation of DELIVERY_RETRY_WAIT in 2.1.26 could cause extra dequeueing and requeueing in the out queue by OutgoingRunner. This is fixed. (LP: #1762871) - A Python 2.7 dependency introduced in the ToDigests handler in Mailman 2.1.24 has been removed. (LP: #1755317) - Bad values in a list's topics will no longer break everything that might instantiate the list. (LP: #1754516) - A Python 2.7 dependency introduced with the reCAPTCHA feature in 2.1.26 has been removed. (LP: #1752658) - The reCAPTCHA feature requires JavaScript. If JavaScript is not enabled, a message will be displayed on the subscribe form that JavaScript is required. (LP: #1769374) - Quoting in the mailman-config command has been changed from double to single quotes to allow double-quoted parameters. (LP: #1774986) - Approving a held subscription for a user with a 'different' preferred language no longer corrupts the results page. (LP: #1777222) - An issue with garbled descriptions on listinfo and admin overview pages and the heading of a list's listinfo page due to incompatible character sets has been fixed thanks to Yasuhito FUTATSUKI. Miscellaneous - Added to the contrib directory, a script from Jim Popovitch to generate Sitemap files for a list's archive.