From mark at msapiro.net Sun Sep 5 02:59:21 2010 From: mark at msapiro.net (Mark Sapiro) Date: Sat, 04 Sep 2010 17:59:21 -0700 Subject: [Mailman-i18n] Mailman security patch. Message-ID: <4C82EB69.9000506@msapiro.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I plan to release a Mailman 2.1.14 candidate release towards the end of next week (Sept 9 or 10). This release will have enhanced XSS defenses addressing two recently discovered vulnerabilities. Since release of the code will potentially expose the vulnerabilities, I plan to publish a patch against the 2.1.13 base with the fix before actually releasing the 2.1.14 candidate. I will post the patch to the same 4 lists that this post is being sent to in the early afternoon, GMT, on September 9. The vulnerabilities are obscure and can only be exploited by a list owner, but if you are concerned about them you can plan to install the patch. The patch is small (34 line diff), only affects two modules and doesn't require a Mailman restart to be effective, although I would recommend a restart as soon as convenient after applying the patch. - -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFMgutpVVuXXpU7hpMRAsX1AJ48C0RxSpV7r9lg3J0V7OTs44ISqgCgn1wX LZ5RkuGLo0r04eDNYOBDYpo= =gscN -----END PGP SIGNATURE----- From mark at msapiro.net Thu Sep 9 15:46:16 2010 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 09 Sep 2010 06:46:16 -0700 Subject: [Mailman-i18n] [Mailman-Announce] Mailman security patch. In-Reply-To: <4C82EB69.9000506@msapiro.net> References: <4C82EB69.9000506@msapiro.net> Message-ID: <4C88E528.9050405@msapiro.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 9/4/2010 5:59 PM, Mark Sapiro wrote: > I plan to release a Mailman 2.1.14 candidate release towards the end of > next week (Sept 9 or 10). This release will have enhanced XSS defenses > addressing two recently discovered vulnerabilities. Since release of the > code will potentially expose the vulnerabilities, I plan to publish a > patch against the 2.1.13 base with the fix before actually releasing the > 2.1.14 candidate. > > I will post the patch to the same 4 lists that this post is being sent > to in the early afternoon, GMT, on September 9. > > The vulnerabilities are obscure and can only be exploited by a list > owner, but if you are concerned about them you can plan to install the > patch. The patch is attached. Since it only affects the web CGIs, it can be applied and will be effective without restarting Mailman, although since it includes a patch to Utils.py which is imported by the qrunners, a restart of Mailman is advisable as soon as convenient after applying the patch. - -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFMiOUnVVuXXpU7hpMRAkWlAJoCqVN2gSlNummYeDfq+BHcVfSKhACg5qrJ 7Idyd0aET0xWy11P6njxT3w= =9uxx -----END PGP SIGNATURE----- -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: xss.patch.txt URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: xss.patch.txt.sig Type: application/octet-stream Size: 65 bytes Desc: not available URL: From barry at list.org Thu Sep 9 16:41:22 2010 From: barry at list.org (Barry Warsaw) Date: Thu, 9 Sep 2010 10:41:22 -0400 Subject: [Mailman-i18n] [Mailman-Developers] [Mailman-Announce] Mailman security patch. In-Reply-To: <4C88E528.9050405@msapiro.net> References: <4C82EB69.9000506@msapiro.net> <4C88E528.9050405@msapiro.net> Message-ID: <20100909104122.544829c5@mission> On Sep 09, 2010, at 06:46 AM, Mark Sapiro wrote: >The patch is attached. Since it only affects the web CGIs, it can be >applied and will be effective without restarting Mailman, although >since it includes a patch to Utils.py which is imported by the >qrunners, a restart of Mailman is advisable as soon as convenient >after applying the patch. Thanks Mark! -Barry -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: not available URL: From mark at msapiro.net Thu Sep 9 23:43:15 2010 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 09 Sep 2010 14:43:15 -0700 Subject: [Mailman-i18n] Mailman 2.1.14rc1 released. Message-ID: <4C8954F3.1090305@msapiro.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am happy to announce the first release candidate for the 2.1.14 release of the 2.1 stable maintenance branch of GNU Mailman. Mailman 2.1.14rc1 is mainly a bug fix release, but it contains one security fix as previously announced at and one new feature. This new feature controls the addition/replacement of the Sender: header in outgoing mail. This allows a list owner to set include_sender_header on the list's General Options page in the admin GUI. The default for this setting is Yes which preserves the prior behavior of removing any pre-existing Sender: and setting it to the list's -bounces address. Setting this to No stops Mailman from adding or modifying the Sender: at all. Additionally, there is a new Defaults.py/mm_cfg.py setting ALLOW_SENDER_OVERRIDES which defaults to Yes but which can be set to No to remove the include_sender_header setting from General Options, and thus preserve the prior behavior completely. Python 2.4 is the minimum supported, but Python 2.5.or 2.6 is recommended. See the changelog at for more details. Mailman is free software for managing email mailing lists and e-newsletters. Mailman is used for all the python.org and SourceForge.net mailing lists, as well as at hundreds of other sites. For more information, please see: http://www.list.org http://www.gnu.org/software/mailman Mailman 2.1.14rc1 can be downloaded from https://launchpad.net/mailman/2.1/ http://ftp.gnu.org/gnu/mailman/ - -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFMiVTzVVuXXpU7hpMRAoOBAJ9toQK+LGWfIW0GQ3bwGd7oQlDUJACfe+8a wyxtS0VdLRJfjicrVGewmyA= =uGQl -----END PGP SIGNATURE----- From mark at msapiro.net Mon Sep 20 21:32:39 2010 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 20 Sep 2010 12:32:39 -0700 Subject: [Mailman-i18n] Mailman 2.1.14 released. Message-ID: <4C97B6D7.8040904@msapiro.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am happy to announce the final release of GNU Mailman 2.1.14. Mailman 2.1.14 is mainly a bug fix release, but it contains one security fix as previously announced at and one new feature. It differs from the previously released 2.1.14rc1 only in wording clarifications and typo corrections in a few messages. This new feature controls the addition/replacement of the Sender: header in outgoing mail. This allows a list owner to set include_sender_header on the list's General Options page in the admin GUI. The default for this setting is Yes which preserves the prior behavior of removing any pre-existing Sender: and setting it to the list's -bounces address. Setting this to No stops Mailman from adding or modifying the Sender: at all. Additionally, there is a new Defaults.py/mm_cfg.py setting ALLOW_SENDER_OVERRIDES which defaults to Yes but which can be set to No to remove the include_sender_header setting from General Options, and thus preserve the prior behavior completely. Python 2.4 is the minimum supported, but Python 2.5.or 2.6 is recommended. See the changelog at for more details. Mailman is free software for managing email mailing lists and e-newsletters. Mailman is used for all the python.org and SourceForge.net mailing lists, as well as at hundreds of other sites. For more information, please see: http://www.list.org http://www.gnu.org/software/mailman Mailman 2.1.14 can be downloaded from https://launchpad.net/mailman/2.1/ http://ftp.gnu.org/gnu/mailman/ - -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFMl7bXVVuXXpU7hpMRAtKyAJ4hnS08i71tx9nx1iG9wkGI9FalggCgqjnF 3CvTQeW7TOY76+u/KBNBGuM= =we0d -----END PGP SIGNATURE-----