A couple of vulnerabilities have recently been reported. Thanks to Andre
Protas, Richard Cloke and Andy Nuttall of Apple for reporting these and
helping with the development of a fix.
CVE-2021-42096 could allow a list member to discover the list admin
CVE-2021-42097 could allow a list member to create a successful CSRF
attack against another list member enabling takeover of the members account.
These attacks can't be carried out by non-members so may not be of
concern for sites with only trusted list members.
In any case, I am planning to make a 2.1.35 release and to post a patch
for those who don't want to upgrade to address these issues. This is
scheduled for Tuesday, October 19.
Mark Sapiro <mark(a)msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
I am pleased to announce that Postorius 1.3.6b1 is now out. This is the
first pre-release for 1.3.6, which is slated to release next week soon
after Mailman Core 3.3.5 release.
This release requires Mailman Core 3.3.5 release, so if you are trying
out this release, please also upgrade Mailman Core to 3.3.5rc1 (which
was just released today).
This release includes several new features and bug fixes. A full list of
changes is available here.
With this release, we have also improved on the localization of the
interface, if you want to help out before the release of the stable
1.3.6, please see the instructions for translators here. We use
Weblate for translations, so if you are familiar with that, you can
directly head over there.
Since this is a pre-release version, you can install this using pip via:
$ pip install --upgrade --pre postorius django-mailman3 mailmanclient
Please also ensure to run the post-install commands as per the upgrade
documentation (commands _after_ pip install, needs a post-install
heading/anchor in there :-).
A release tarball is available on PyPI:
Finally, thanks to all the folks who helped with this release in any
capacity and made it possible.
I am pleased to announce that Mailman Core 3.3.5b1 is now out. It is a
pre-release for 3.3.5, which is slated to come out in 3 weeks from now.
I am planning for a 2 week beta period, after which I'll release the
first RC and then stable a week after. Right now I am not planning to
release a second beta version, but if there are several changes in Core
in the next week or so, then I might.
This release includes a lot of bug fixes and some new features. It also
includes a security enhancement that improves the authentication of REST
API by adding resistance to some timing channel attacks.
A full list of changes in this version can be found here.
We have also made improvements in the i18n workflow and now the email
templates are updated from the translated messages in the .po files that
we get from Weblate. Documentation for translators is available here
if you want to help translate Mailman into your native language.
This is a pre-release version, if you want to test it with your setup,
you can install it using:
$ pip install --pre mailman==3.3.5b1
If you want to download a release tarball, you can do so from here:
This release received a lot of contributions from community, which I am
really happy about! I'd like to thank everyone who made this release
Abhilash Raj (maxking)
after installing mailman-3 and postorius for the first time, I'm
unhappy with the German translations. I understand that new
translators are invited to use weblate. So I had registered an
account there and tried to fix listed problems first. But I
didn't complete this undertaking, because IMHO the current German
translations of some important (technical) terms are
unfavourable, if not unintelligible, and also inconsistent. So
instead of adding to the confusion, I would favour a major
overhaul. These are my first steps as a potential translator and
there are certainly rules and manners I'd better know about. So
all tips and suggestions are welcome. The rest of my post is in
German on purpose.
Ich weiß, dass ich mit diesen Bemerkungen vielleicht keine Freude
und auch keine ungeteilte Zustimmung auslöse, aber ich finde die
Übersetzung einiger technischer Schlüsselbegriffe sehr unglücklich:
Ist ein technischer Begriff, der nicht zu übersetzen ist. Der
Bounce, bouncen, gebouncet, der Bounce-Zähler usw. - Wer den
Begriff nicht kennt, kann ihn so googlen. Es gibt keine
etablierte deutsche Übersetzung.
list member, subscriber, (un)subscribe, subscription:
Das ist ein Schlüsselkonzept. Hier muss unbedingt eine
einheitliche Terminologie eingehalten werden. "Mitglied" ist zwar
eine direkte Übersetzung, aber ein leicht missverständlicher
Begriff. "Abonnement" ist ein etabliertes Wort, welches für
dieses Konzept auch in anderen Programmen (Thunderbird z.B.)
verwendet wird. Abonnent, abonnieren, kündigen, Abonnement
message, post, e-mail, submission:
Hier ist das englische Original auch schrecklich verwirrt. Das
kann man in der Übersetzung verbessern. Ich würde generell
"(eingereichte) Nachricht" verwenden, "E-Mail" nur an den
Stellen, wo es verständlicher oder präziser ist, etwa bei
Nachrichten, die explizit als E-Mails empfangen oder gesendet
werden, oder wo es um technische Details geht, die sich explizit
auf E-Mails beziehen, etwa beim SMTP-Versand etc.
Ist ein technischer Begriff. Nicht übersetzen. Plain-Text
ist sehr uneinheitlich übersetzt. Mein Vorschlag
"Diskussionsfaden". "-strang" klingt für mich zu derb. Gibt noch
andere englische Worte, die mir jetzt nicht einfallen, die
trotzdem so übersetzt werden müssen.
Es gibt noch mehr, aber das sind die Dinge, die mir sofort
aufgefallen sind. Falls es einen Maintainer der deutschen
Übersetzung gibt, freue ich mich über Kontakt. Ich hoffe, ich bin
nicht angeeckt. :-)
I hope it's ok that I write my questions to the mailing list.
I newly discovered the possibility of translating Mailman. However, the instructions given are a bit hard for me to follow.
Specifically, there are things that cannot be done:
* https://wiki.list.org/DEV/Internationalization instructs to write to one's Mailman Language Champion; I wrote to the Champion for Ukrainian, but his email is rejecting letters.
* It is mentioned on https://wiki.list.org/DEV/i18nhowto that Mailman3 is not ready for translation yet – it's hard for me to believe, that this is still the case, taking into consideration that that page is said to be last updated several years ago. I have trouble understanding what's the current situation. lists.wikimedia.org is said to use Mailman3 now; I see some interface lines in English but some in Ukrainian as well, so at least some translations were imported into newer version(?) But I don't see where I can translate Mailman3.
If I'm missing something, please point me in the right direction.
But if my assumption is right and the instruction pages are indeed outdated, how can we fix that?
I am pleased to announce that Mailman Core 3.3.4 is now out.
Because of incompatibility with the new version of a downstream
library (SQLAlchemy), this release add is setting 1.3.x as the max
supported version of SQLAlchemy.
Even though it comes soon after 3.3.3, it has a lot of bug fixes and
new features. Some notable ones are:
* Email -join command now supports subscribing as digests with
digest=<no|mime|plain> options being honored.
* For anonymous lists, Mailman will filter all the headers except a few
that can be configured using a new config option.
* Mailman can do max_size checks on filtered message rather than
original message (which might be larger before being filtered)
* Previously deprecated --add, --del and --sync options from
`mailman members` command are now removed. Their alternatives
are `addmembers`, `delmembers` and `syncmembers` subcommands.
* If configured, Mailman will add a report about content filtering.
A complete change log is available here:
This release is available via PyPI:
You can install or upgrade using:
$ pip install --upgrade mailman
Thanks to all the contributors who helped with this release!
On behalf of Mailman Core Team
I am pleased to announce that with a week long delay from the planned date,
GNU Mailman Core 3.3.2 is now finally out. This release includes both bug fixes
and some new features.
Some notable changes include:
- Support for inviting users to join mailing lists.
- New adddmembers, delmembers and syncmembers command to manage membership from CLI.
- Addition of new REST API endpoints that return the count of held messages and subscription requests of much faster page loads in Postorius.
- Addition of support for filtering in some API endpoints like Members and Subscription requests.
- Support for address= option in email join command to subscribe an address other then sending address.
- Addition of who email command to lookup memberships.
- Expose emergency field for MailingList resource in REST API.
- Several bug fixes to support new major version of libraries like dnspython, flufl.* etc.
You can install it using:
$ pip install --upgrade mailman
The tarball for the release is available at PyPI:
Finally, many thanks to all the contributors who have helped make this release a success!
Abhilash Raj (maxking) on behalf of Mailman Core team