From mailman-developers@python.org  Sat Mar  3 08:26:35 2001
From: mailman-developers@python.org (Barry A. Warsaw)
Date: Sat, 3 Mar 2001 03:26:35 -0500
Subject: [Mailman-Announce] ANNOUNCE Mailman 2.0.2 (important privacy patch)
Message-ID: <15008.43707.726965.293836@anthem.wooz.org>

I've just uploaded the Mailman 2.0.2 release to SourceForge.  This is
a bug fix release that also fixes a potential privacy hole, which
could allow a list administrator to get access to user passwords.
Even with those passwords, I believe there's little additional harm
that a list admin could do, but still they probably shouldn't have
access to those passwords.

There are a few other important fixes in this release, so I recommend
that all sites running Mailman 2.0 or 2.0.1 should upgrade.

As usual I'm releasing this as both a complete tarball and as a patch
against Mailman 2.0.1.  If you grab the patchfile, you'll want to cd
into your 2.0 source, and apply it like so:

    % patch -p1 < mailman-2.0.1-2.0.2.diff

Currently only http://mailman.sourceforge.net is updated, but the
list.org and gnu.org sites should be updated soon.  The release
information on SF is at

    http://sourceforge.net/project/shownotes.php?release_id=25955

My thanks to Thomas Wouters for his help!

Enjoy,
-Barry

P.S. I'm not sure if I'll have time to release a 2.1 alpha of the I18N
stuff before I leave for the Python9 conference.  If we get the
expected foot of snow between Sunday and Monday, it's a
possibility. ;)


[From the NEWS file]

2.0.2 (03-Mar-2001)

    Security fix:

    - A fix for a potential privacy exploit where a clever list
      administrator could gain access to user passwords.  This doesn't
      allow them to do much more harm to the user then they normally
      could, but they still shouldn't have access to the passwords.

    Bug fixes:

    - In the admindb page, don't complain when approving a
      subscription of someone who's already on the list (SF bug
      #222409 - Thomas Wouters).

      Also, quote for HTML the Subject: text printed for held
      messages, otherwise messages with e.g. "Subject: </table>" could
      royally screw page formatting.

    - In Netscape.py bounce processor, don't bomb out on ill-formed
      messages (no semi-colon separating parameters), otherwise mail
      delivery could grind to a halt.  Bug reported by Kambiz
      Aghaiepour.

    - Docstring fix bin/newlist to remove mention of "immediate"
      argument (Thomas Wouters).

    - Fix for bin/update when PREFIX != VAR_PREFIX (SF bug #229794 --
      Thomas Wouters).


From mailman-developers@python.org  Sat Mar  3 17:08:18 2001
From: mailman-developers@python.org (Barry A. Warsaw)
Date: Sat, 3 Mar 2001 12:08:18 -0500
Subject: [Mailman-Announce] Re: ANNOUNCE Mailman 2.0.2 (important privacy patch)
References: <15008.43707.726965.293836@anthem.wooz.org>
Message-ID: <15009.9474.666986.317159@anthem.wooz.org>

>>>>> "BAW" == Barry A Warsaw <barry@digicool.com> writes:

    BAW> If you grab the patchfile, you'll want to cd into your 2.0
    BAW> source, and apply it like so:

    BAW>     % patch -p1 < mailman-2.0.1-2.0.2.diff

Two mistakes here (it was late last night :).

I originally uploaded a file called `mailman-2.0.2-2.0.1.diff' to
SourceForge.  I've just uploaded the same file under the correct
name, so either will work.

Second, please use "patch -p0 < mailman-2.0.1-2.0.2.diff" from inside
the source directory, otherwise you'll get lots of questions from
patch.

Sorry about that,
-Barry


From mailman-developers@python.org  Mon Mar 12 22:29:06 2001
From: mailman-developers@python.org (Barry A. Warsaw)
Date: Mon, 12 Mar 2001 17:29:06 -0500
Subject: [Mailman-Announce] ANNOUNCE Mailman 2.0.3
Message-ID: <15021.19890.887096.306934@anthem.wooz.org>

--O17lvtC8kj
Content-Type: text/plain; charset=us-ascii
Content-Description: message body text
Content-Transfer-Encoding: 7bit


I'm sorry folks.  As some of you are aware, a small but nasty typo
snuck its way into the Mailman 2.0.2 release, necessitating a bug fix
patch.  Thus I've just uploaded Mailman 2.0.3 to SourceForge.  I
highly recommend that you upgrade to this version.

As usual I'm releasing this as both a complete tarball and as a patch
against Mailman 2.0.2.  You /must/ update your source to 2.0.2 before
applying the 2.0.3 patch.  Since the patch is small, I'm including it
in this message.  To apply, cd into your 2.0.2 source tree and apply
it like so:

    % patch -p0 < mailman-2.0.2-2.0.3.diff

Currently both http://mailman.sourceforge.net and http://www.list.org
are updated, and I expect the gnu.org site to be updated soon as
well.  The release information on SF is at

    http://sourceforge.net/project/shownotes.php?release_id=27001

-Barry

P.S. It was nice to meet so many Mailman fans at IPC9!  It was also
quite cool to finally meet Thomas Wouters.  Don't worry Thomas, I
won't hold this one against ya. :)

[From the NEWS file]

2.0.3 (12-Mar-2001)

    Bug fix release.  There was a small typo in 2.0.2 in ListAdmin.py
    for approving an already subscribed member (thanks Thomas!).
    Also, an update to the OpenWall security workaround
    (contrib/securelinux_fix.py) was included.  Thanks to Marc Merlin.


--O17lvtC8kj
Content-Type: text/plain
Content-Description: Patch Mailman 2.0.2 -> 2.0.3
Content-Disposition: inline;
	filename="mailman-2.0.2-2.0.3.diff"
Content-Transfer-Encoding: 7bit

Index: NEWS
===================================================================
RCS file: /cvsroot/mailman/mailman/NEWS,v
retrieving revision 1.25.2.2
retrieving revision 1.25.2.4
diff -u -r1.25.2.2 -r1.25.2.4
--- NEWS	2001/03/03 06:51:26	1.25.2.2
+++ NEWS	2001/03/12 19:32:10	1.25.2.4
@@ -1,8 +1,15 @@
 Mailman - The GNU Mailing List Management System
-Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc.
+Copyright (C) 1998,1999,2000,2001 by the Free Software Foundation, Inc.
 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
 
 Here is a history of user visible changes to Mailman.
+
+2.0.3 (12-Mar-2001)
+
+    Bug fix release.  There was a small typo in 2.0.2 in ListAdmin.py
+    for approving an already subscribed member (thanks Thomas!).
+    Also, an update to the OpenWall security workaround
+    (contrib/securelinux_fix.py) was included.  Thanks to Marc Merlin.
 
 2.0.2 (03-Mar-2001)
 
Index: README.LINUX
===================================================================
RCS file: /cvsroot/mailman/mailman/README.LINUX,v
retrieving revision 1.6
retrieving revision 1.6.2.1
diff -u -r1.6 -r1.6.2.1
--- README.LINUX	2000/09/19 17:25:23	1.6
+++ README.LINUX	2001/03/12 19:21:50	1.6.2.1
@@ -1,5 +1,5 @@
 Mailman - The GNU Mailing List Management System
-Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc.
+Copyright (C) 1998,1999,2000,2001 by the Free Software Foundation, Inc.
 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
 
 GNU/LINUX ISSUES
@@ -14,6 +14,11 @@
 can cause "Operation not permitted" errors in MailList.Save() -- you
 will see a traceback.  You must turn restricted hardlinks off.  This
 is also known under the name of Openwall Security Patches.
+
+There is a workaround for this problem, you can use securelinux_fix.py
+in the contrib directory (see the README.securelinux_fix.py). Note
+that the script will not work until you move it in your installed
+Mailman tree in the bin directory.
 
 
 
Index: Mailman/ListAdmin.py
===================================================================
RCS file: /cvsroot/mailman/mailman/Mailman/ListAdmin.py,v
retrieving revision 1.47.2.1
retrieving revision 1.47.2.4
diff -u -r1.47.2.1 -r1.47.2.4
--- Mailman/ListAdmin.py	2001/03/02 23:32:15	1.47.2.1
+++ Mailman/ListAdmin.py	2001/03/07 23:26:49	1.47.2.4
@@ -1,4 +1,4 @@
-# Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc.
+# Copyright (C) 1998,1999,2000,2001 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -327,8 +327,8 @@
             # subscribe
             assert value == mm_cfg.SUBSCRIBE
             try:
-                self.ApprovedAddMember(addr, password, digest, lang)
-            except Errors.MMAlreadyMember:
+                self.ApprovedAddMember(addr, password, digest)
+            except Errors.MMAlreadyAMember:
                 # User has already been subscribed, after sending the request
                 pass
             # TBD: disgusting hack: ApprovedAddMember() can end up closing
Index: Mailman/Version.py
===================================================================
RCS file: /cvsroot/mailman/mailman/Mailman/Version.py,v
retrieving revision 1.20.2.2
retrieving revision 1.20.2.3
diff -u -r1.20.2.2 -r1.20.2.3
--- Mailman/Version.py	2001/03/03 06:19:15	1.20.2.2
+++ Mailman/Version.py	2001/03/07 23:25:41	1.20.2.3
@@ -15,7 +15,7 @@
 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
 # Mailman version
-VERSION = "2.0.2"
+VERSION = "2.0.3"
 
 # And as a hex number in the manner of PY_VERSION_HEX
 ALPHA = 0xa
@@ -27,7 +27,7 @@
 
 MAJOR_REV = 2
 MINOR_REV = 0
-MICRO_REV = 2
+MICRO_REV = 3
 REL_LEVEL = FINAL
 # at most 15 beta releases!
 REL_SERIAL = 0
Index: admin/www/download.ht
===================================================================
RCS file: /cvsroot/mailman/mailman/admin/www/download.ht,v
retrieving revision 1.5.2.2
retrieving revision 1.5.2.4
diff -u -r1.5.2.2 -r1.5.2.4
--- admin/www/download.ht	2001/03/03 06:18:47	1.5.2.2
+++ admin/www/download.ht	2001/03/12 19:33:49	1.5.2.4
@@ -65,9 +65,9 @@
 <h3>Downloading</h3>
 
 <p>Version
-(<!-VERSION--->2.0.2<!-VERSION--->,
+(<!-VERSION--->2.0.3<!-VERSION--->,
 released on
-<!-DATE--->Mar  3 2001<!-DATE--->)
+<!-DATE--->Mar 12 2001<!-DATE--->)
 is the current GNU release.  It is available from the following mirror sites:
 
 <ul>
Index: admin/www/download.html
===================================================================
RCS file: /cvsroot/mailman/mailman/admin/www/download.html,v
retrieving revision 1.6.2.4
retrieving revision 1.6.2.6
diff -u -r1.6.2.4 -r1.6.2.6
--- admin/www/download.html	2001/03/03 06:18:47	1.6.2.4
+++ admin/www/download.html	2001/03/12 19:33:49	1.6.2.6
@@ -1,6 +1,6 @@
 <HTML>
 <!-- THIS PAGE IS AUTOMATICALLY GENERATED.  DO NOT EDIT. -->
-<!-- Sat Mar  3 01:06:34 2001 -->
+<!-- Mon Mar 12 14:32:38 2001 -->
 <!-- USING HT2HTML 1.1 -->
 <!-- SEE http://www.wooz.org/barry/software/pyware.html -->
 <!-- User-specified headers:
@@ -237,9 +237,9 @@
 <h3>Downloading</h3>
 
 <p>Version
-(<!-VERSION--->2.0.2<!-VERSION--->,
+(<!-VERSION--->2.0.3<!-VERSION--->,
 released on
-<!-DATE--->Mar  3 2001<!-DATE--->)
+<!-DATE--->Mar 12 2001<!-DATE--->)
 is the current GNU release.  It is available from the following mirror sites:
 
 <ul>
Index: contrib/README.securelinux_fix
===================================================================
RCS file: README.securelinux_fix
diff -N README.securelinux_fix
--- /dev/null	Mon Dec 11 17:26:27 2000
+++ contrib/README.securelinux_fix	Mon Mar 12 11:49:35 2001
@@ -0,0 +1,12 @@
+The securelinux_fix.py script, if copied in your installed
+~mailman/bin/ directory and run from there will modify permissions of
+files so that Mailman works despite the securelinux (aka openwall)
+symbolic and hard link restrictions.
+
+The way it works is that it makes sure that the UID of any script that
+touches config.db is `mailman'. What this means however is that
+scripts in ~mailman/bin will now only work if run as user mailman or
+root (the script then changes its UID and GID to mailman).
+
+Enjoy
+Marc MERLIN <marcsoft@merlins.org>/<marc_bts@valinux.com>
Index: contrib/securelinux_fix.py
===================================================================
RCS file: /cvsroot/mailman/mailman/contrib/securelinux_fix.py,v
retrieving revision 1.2
retrieving revision 1.2.2.1
diff -u -r1.2 -r1.2.2.1
--- contrib/securelinux_fix.py	2000/11/09 02:07:01	1.2
+++ contrib/securelinux_fix.py	2001/03/12 19:25:04	1.2.2.1
@@ -1,6 +1,6 @@
 #! /usr/bin/env python
 #
-# Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc.
+# Copyright (C) 1998,1999,2000,2001 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -25,12 +25,12 @@
 Mailman.  The idea is that config.db files have to be owned by the mailman UID
 and only touched by programs that are UID mailman.
  
-If you have to run check_perms -f, make sure to also run %(PROGRAM) -f, which
-applies the necessary permission fixes
+If you have to run check_perms -f, make sure to also run securelinux_fix.py
+-f, which applies the necessary permission fixes.
  
-As a result, to prevent anyone from running priviledged Mailman commands
-\(since the scripts are suid), binary commands that are changed to be SUID are
-also unreadable and unrunable by people who aren't in the mailman group.  This
+As a result, to prevent anyone from running privileged Mailman commands (since
+the scripts are suid), binary commands that are changed to be SUID are also
+unreadable and unrunnable by people who aren't in the mailman group.  This
 shouldn't affect much since most of those commands would fail work if you
 weren't part of the mailman group anyway.
 
@@ -45,8 +45,6 @@
 from Mailman import mm_cfg
 from Mailman.mm_cfg import MAILMAN_UID, MAILMAN_GID
 from stat import *
-
-PROGRAM = sys.argv[0]
 
 # Those are the programs that we patch so that they insist being run under the
 # mailman uid or as root.

--O17lvtC8kj--