[Mailman-Users] Mailman 2.1.26 Security release Feb 4, 2018

Mark Sapiro mark at msapiro.net
Sun Feb 4 12:51:37 EST 2018

I am pleased to announce the release of Mailman 2.1.26.

Python 2.4 is the minimum supported, but Python 2.7 is strongly recommended.

This is a security and bug fix release with a couple of new features.
See the attached README.txt for details.

For those who are concerned about the security vulnerability and can't
upgrade immediately, there is a patch at
to fix the security issue. More information on the issue itself is in
the bug report at <https://bugs.launchpad.net/mailman/+bug/1747209>.

Mailman is free software for managing email mailing lists and
e-newsletters. Mailman is used for all the python.org and
SourceForge.net mailing lists, as well as at hundreds of other sites.

For more information, please see our web site at one of:


Mailman 2.1.26 can be downloaded from


Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan
-------------- next part --------------
2.1.26 (04-Feb-2018)


    - An XSS vulnerability in the user options CGI could allow a crafted URL
      to execute arbitrary javascript in a user's browser.  A related issue
      could expose information on a user's options page without requiring
      login.  These are fixed.  Thanks to Calum Hutton for the report.
      CVE-2018-5950  (LP: #1747209)

  New Features

    - Thanks to David Siebörger who adapted an existing patch by Andrea
      Veri to use Google reCAPTCHA v2 there is now the ability to add
      reCAPTCHA to the listinfo subscribe form.  There are two new mm_cfg.py
      settings for RECAPTCHA_SITE_KEY and RECAPTCHA_SECRET_KEY, the values
      for which you obtain for your domain(s) from Google at

    - Thanks to Lindsay Haisley, there is a new bin/mailman-config command
      to display various information about this Mailman version and how it
      was configured.


    - The Japanese message catalog has been updated for added strings by
      Yasuhito FUTATSUKI.

    - The German translation of a couple of templates has been updated by
      Thomas Hochstein.

    - The Japanese translation of Defaults.py.in has been updated by
      Yasuhito FUTATSUKI.

  Bug fixes and other patches

    - Fixed an i18n bug in the reCAPTCHA feature.  (LP: #1746189)

    - Added a few more environment variables to the list of those passed
      to CGIs to support an nginx/uwsgi configuration.  (LP #1744739)

    - Mailman 2.1.22 introduced a Python 2.7 dependency that could affect
      bin/arch processing a message without a valid Date: header.  The
      dependency has been removed.  (LP: #1740543)

    - Messages held for header_filter_rules now show the matched regexp in
      the hold reason.  (LP: #1737371)

    - When updating the group and mode of a .db file with Mailman's Postfix
      integration, a missing file is ignored.  (LP: #1734162)

    - The DELIVERY_RETRY_WAIT setting is now effective.  (LP: #1729472)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/mailman-users/attachments/20180204/76561c18/attachment.sig>

More information about the Mailman-Users mailing list