I have released Mailman 2.1.4, a bug fix release that also contains support for four new languages: Catalan, Croatian, Romanian, and Slovenian. This release also contains a fix for a cross-site scripting vulnerability in the 'admin' cgi script (see CAN-2003-0965). There is also an expanded ability to filter message headers, nominally to provide better support when Mailman is used in conjunction with upstream spam and virus filters.
The full source tarball has been made available from the usual sites. Sorry, there is no patch available yet, but you should be able to install Mailman 2.1.4 over your existing 2.1.x installation. See
http://sourceforge.net/project/showfiles.php?group_id=103for links to the downloadable files. After installing, be sure you restart your Mailman daemon by doing a "mailmanctl restart".
IMPORTANT: You will want to re-run configure before doing a make install.
See also:
http://www.list.org
http://mailman.sf.net
http://www.gnu.org/software/mailmanEnjoy, and have a Happy New Year. -Barry
-------------------- snip snip -------------------- 2.1.4 (31-Dec-2003)
- Close some cross-site scripting vulnerabilities in the admin pages
(CAN-2003-0965).
- New languages: Catalan, Croatian, Romanian, Slovenian.
- New mm_cfg.py/Defaults.py variable PUBLIC_MBOX which allows the site
administrator to disable public access to all the raw list mbox files
(this is not a per-list configuration).
- Expanded header filter rules under Privacy -> Spam Filters. Now you can
specify regular expression matches against any header, with specific
actions tied to those matches.
- Rework the SMTP error handling in SMTPDirect.py to avoid scoring bounces
for all recipients when a permanent error code is returned by the mail
server (e.g. because of content restrictions).
- Promoted SYNC_AFTER_WRITE to a Default.py/mm_cfg.py variable and
make it control syncing on the config.pck file. Also, we always flush
and sync message files.
- Reduce archive bloat by not storing the HTML body of Article objects in
the Pipermail database. A new script bin/rb-archfix was added to clean
up older archives.
- Proper RFC quoting for List-ID descriptions.
- PKGDIR can be passed to the make command in order to specify a different
directory to unpack the distutils packages in misc. (SF bug 784700).
- Improved logging of the origin of subscription requests.
- Bugs and patches: 832748 (unsubscribe_policy ignored for unsub button on
member login page), 846681 (bounce disabled cookie was always out of
date), 835870 (check VIRTUAL_HOST_OVERVIEW on through the web list
creation), 835036 (global address change when the new address is already
a member of one of the lists), 833384 (incorrect admin password on a
hold message confirmation attachment would discard the message), 835012
(fix permission on empty archive index), 816410 (confirmation page
consistency), 834486 (catch empty charsets in the scrubber), 777444 (set
the process's supplemental groups if possible), 860135 (ignore
DiscardMessage exceptions during digest scrubbing), 828811 (reduce
process size for list and admin overviews), 864674/864676 (problems
accessing private archives and rosters with admin password), 865661
(Tokio Kikuchi's i18n patches), 862906 (unicode prefix leak in admindb),
841445 (setting new_member_options via config_list), n/a (fixed email
command 'set delivery')
In message <16371.5054.109107.157603@gargle.gargle.HOWL>, Barry A. Warsaw writes:
- Expanded header filter rules under Privacy -> Spam Filters. Now you can specify regular expression matches against any header, with specific actions tied to those matches.
Yay!
Just what I asked for a couple of months ago (and was instructed to "hack it myself" :-) I'm going to install this version on my server right away.
Thanks Barry, and a happy new year.
Erez.
Hi Barry,
On Wed, Dec 31, 2003 at 01:21:50PM -0500, Barry A. Warsaw wrote:
I have released Mailman 2.1.4, a bug fix
Great, thanks for the continous good work!
- Rework the SMTP error handling in SMTPDirect.py to avoid scoring bounces for all recipients when a permanent error code is returned by the mail server (e.g. because of content restrictions).
Important improvement!
- Proper RFC quoting for List-ID descriptions.
Checking the following diff,
I think that 996 would be a more reasonable line length and maxlinelen=10000 is a bug in the current 2.1.4 code. It creates the chance that mailman creates lines which are longer than 998 characters, potentially violating section 2.1.1 Line Length Limits of RFC 2822.
The sad part is that my bug report [ 665732 ] having my corresponding patch http://sourceforge.net/tracker/download.php?group_id=103&atid=100103&file_id=57904&aid=665732 containing my analysis somehow has been overlooked. I took some time to actually look up the RFC when writing the patch. Seeing that work being wasted is a bit demotivating.
Nevertheless, what about an 2.0.14 release (yes 2._0_.14)? Many people still run older releases and bug #726736 is a real showstopper.
I still believe bug #815297 to be an important one, because it destroys the email signature security.
Regards, Bernhard
participants (3)
-
barry@python.org -
Bernhard Reiter -
Erez Zadok