Just to confirm I'm not missing something, am I correct that there is no
way (other than patching) in Mailman 2.1.37 to automatically reject posts
that trigger the require_explicit_destination or max_num_recipients limits?
Hi,
thanks for the recent security fixes regarding potential CSRF attacks! I
checked our mischief logs for relevant messages today and the only one I
found was this:
Nov 24 19:33:24 2021 (117276) Form for user xxx(a)smail.uni-koeln.de
submitted with CSRF token issued for xxx(a)smail.Uni-Koeln.de.
The only difference is in the case of the email address. I’m no expert
on CSRF attacks, but to me it seems as though the comparison should
perhaps disregard differences in case only?
Thanks,
Sebastian
--
.:.Sebastian Hagedorn - Weyertal 121 (Gebäude 133), Zimmer 2.02.:.
.:.Regionales Rechenzentrum (RRZK).:.
.:.Universität zu Köln / Cologne University - ✆
+49-221-470-89578.:.
I am pleased to announce the release of Mailman 2.1.39.
This is a bug fix release. It fixes
https://bugs.launchpad.net/mailman/+bug/1954694
This addresses two issues.
The fix for CVE-2021-42097 was case sensitive and should not be.
The fix for CVE-2021-44227 introduced a potential NameError in logging.
This could cause a user's changes to the option's page to not be
accepted and perhaps cause a `We hit a bug` response if the user visited
the page with a mixed- or upper-case email address
For those who just want a patch one is attached to the bug report.
As noted Mailman 2.1.30 was the last feature release of the Mailman 2.1
branch from the GNU Mailman project. There has been some discussion as
to what this means. It means there will be no more releases from the GNU
Mailman project containing any new features. There may be future patch
releases to address the following:
i18n updates.
security issues.
bugs affecting operation for which no satisfactory workaround exists.
Mailman 2.1.39 is the ninth such patch release.
Mailman is free software for managing email mailing lists and
e-newsletters. Mailman is used for all the python.org and
SourceForge.net mailing lists, as well as at hundreds of other sites.
For more information, please see our web site at one of:
http://www.list.orghttps://www.gnu.org/software/mailmanhttp://mailman.sourceforge.net/
Mailman 2.1.39 can be downloaded from
https://launchpad.net/mailman/2.1/https://ftp.gnu.org/gnu/mailman/https://sourceforge.net/projects/mailman/
--
Mark Sapiro <mark(a)msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
Hi all,
I realised I asked about this recently.
on lists I run I don't have this appearing in subject lines where
messages are sent from g mail and other domains.
For a list I don't run messages sent from g mail and other providers
have this in the subject line.
Wondering what settings need changing on the list this is happening with?
TIA.
--
Adam Morris
Mobile: 0414 431105
Email, iMessage & FaceTime
adam(a)damorris.com
I am the owner of a classifieds website.
There are several categories of ads like Sale, Purchase, Donation, etc...
Today, registered users receive all new posted ads daily, but I would like to offer them to choose the categories that interest them.
For example Sale only, or Sale and Donation, etc ...
I'm looking for a solution to only send the content the user has subscribed to, but with one mailman list.
Maybe with Content-filtering?
I don't have too many ideas, any suggestion will be welcome.
Hi,
Just over two weeks since I found myself on Microsoft's blocklist and
was manually removed, I find myself back on their blocklist again.
Possibly coincidentally, this morning MXToolbox informed me that Linode
has apparently found itself back on Uceprotectl3. Does anyone know if
Microsoft considers that particular blacklist when deciding to blocklist
an IP? Naturally, I've submitted a deliverability support ticket, and
will probably have to wait several hours for the result.
As always, I'm not doing anything wrong (that I know of at least). Even
if someone had hacked my server, my hypothesis is that they'd have to be
a very careful and methodical hacker if their aim were to get me
blocklisted by Microsoft and only Microsoft. If my server were spewing
out spam, I ought to be hitting Spamhaus/SORBS/etc. spam traps left and
right. Trust me, one time I was hacked, my server was sending out spam
and I didn't know it, and I quickly found myself on Spamhaus XBL.
Any thoughts?
Thanks,
Jayson
Hi,
Last evening I received an Email from "Hotmail deliverability support"
indicating they'd implemented mitigation for my IP, and that it could
take up to twenty-four hours for it to propagate through their systems.
When this has happened before, it has never taken anywhere near that
long for me to be able to send Emails again. Now over ten hours later
I'm still unable to send Emails to Hotmail/Live/MSN/Outlook. Normally I
might think it might actually be taking this long this time, except for
the fact that their so-called (probably automated) initial investigation
didn't find anything wrong at their end, and yet I was still block listed.
Has anyone else seen this from Microsoft. Does anyone know if they
perhaps sometimes block entire subnets? I have to think whatever's going
on is probably bigger than me E.G. they mitigated my IP (even though
they couldn't find anything wrong) but something in the bigger picture
is still insisting I be block listed? This is getting really old, really
fast.
Thanks for any thoughts,
Jayson
Hi,
I just received Microsoft's response to my deliverability support
request. Mitigated? Nope. Not qualified for mitigation? Nope again.
Their resolution states:
We were unable to identify anything on our side that would prevent your
mail from reaching Outlook.com customers.
I sent a test Email to an Outlook customer after receiving that
response, and it bounced right back with the same error as always.
Needless to say I've responded to Microsoft's message. We'll see where
this goes.
Jayson
