From mark at msapiro.net Sun Sep 5 02:59:21 2010 From: mark at msapiro.net (Mark Sapiro) Date: Sat, 04 Sep 2010 17:59:21 -0700 Subject: [Mailman-Announce] Mailman security patch. Message-ID: <4C82EB69.9000506@msapiro.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I plan to release a Mailman 2.1.14 candidate release towards the end of next week (Sept 9 or 10). This release will have enhanced XSS defenses addressing two recently discovered vulnerabilities. Since release of the code will potentially expose the vulnerabilities, I plan to publish a patch against the 2.1.13 base with the fix before actually releasing the 2.1.14 candidate. I will post the patch to the same 4 lists that this post is being sent to in the early afternoon, GMT, on September 9. The vulnerabilities are obscure and can only be exploited by a list owner, but if you are concerned about them you can plan to install the patch. The patch is small (34 line diff), only affects two modules and doesn't require a Mailman restart to be effective, although I would recommend a restart as soon as convenient after applying the patch. - -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFMgutpVVuXXpU7hpMRAsX1AJ48C0RxSpV7r9lg3J0V7OTs44ISqgCgn1wX LZ5RkuGLo0r04eDNYOBDYpo= =gscN -----END PGP SIGNATURE----- From mark at msapiro.net Thu Sep 9 15:46:16 2010 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 09 Sep 2010 06:46:16 -0700 Subject: [Mailman-Announce] Mailman security patch. In-Reply-To: <4C82EB69.9000506@msapiro.net> References: <4C82EB69.9000506@msapiro.net> Message-ID: <4C88E528.9050405@msapiro.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 9/4/2010 5:59 PM, Mark Sapiro wrote: > I plan to release a Mailman 2.1.14 candidate release towards the end of > next week (Sept 9 or 10). This release will have enhanced XSS defenses > addressing two recently discovered vulnerabilities. Since release of the > code will potentially expose the vulnerabilities, I plan to publish a > patch against the 2.1.13 base with the fix before actually releasing the > 2.1.14 candidate. > > I will post the patch to the same 4 lists that this post is being sent > to in the early afternoon, GMT, on September 9. > > The vulnerabilities are obscure and can only be exploited by a list > owner, but if you are concerned about them you can plan to install the > patch. The patch is attached. Since it only affects the web CGIs, it can be applied and will be effective without restarting Mailman, although since it includes a patch to Utils.py which is imported by the qrunners, a restart of Mailman is advisable as soon as convenient after applying the patch. - -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFMiOUnVVuXXpU7hpMRAkWlAJoCqVN2gSlNummYeDfq+BHcVfSKhACg5qrJ 7Idyd0aET0xWy11P6njxT3w= =9uxx -----END PGP SIGNATURE----- -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: xss.patch.txt URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: xss.patch.txt.sig Type: application/octet-stream Size: 65 bytes Desc: not available URL: From barry at list.org Thu Sep 9 16:41:22 2010 From: barry at list.org (Barry Warsaw) Date: Thu, 9 Sep 2010 10:41:22 -0400 Subject: [Mailman-Announce] [Mailman-Developers] Mailman security patch. In-Reply-To: <4C88E528.9050405@msapiro.net> References: <4C82EB69.9000506@msapiro.net> <4C88E528.9050405@msapiro.net> Message-ID: <20100909104122.544829c5@mission> On Sep 09, 2010, at 06:46 AM, Mark Sapiro wrote: >The patch is attached. Since it only affects the web CGIs, it can be >applied and will be effective without restarting Mailman, although >since it includes a patch to Utils.py which is imported by the >qrunners, a restart of Mailman is advisable as soon as convenient >after applying the patch. Thanks Mark! -Barry -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: not available URL: From mark at msapiro.net Thu Sep 9 23:43:15 2010 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 09 Sep 2010 14:43:15 -0700 Subject: [Mailman-Announce] Mailman 2.1.14rc1 released. Message-ID: <4C8954F3.1090305@msapiro.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am happy to announce the first release candidate for the 2.1.14 release of the 2.1 stable maintenance branch of GNU Mailman. Mailman 2.1.14rc1 is mainly a bug fix release, but it contains one security fix as previously announced at and one new feature. This new feature controls the addition/replacement of the Sender: header in outgoing mail. This allows a list owner to set include_sender_header on the list's General Options page in the admin GUI. The default for this setting is Yes which preserves the prior behavior of removing any pre-existing Sender: and setting it to the list's -bounces address. Setting this to No stops Mailman from adding or modifying the Sender: at all. Additionally, there is a new Defaults.py/mm_cfg.py setting ALLOW_SENDER_OVERRIDES which defaults to Yes but which can be set to No to remove the include_sender_header setting from General Options, and thus preserve the prior behavior completely. Python 2.4 is the minimum supported, but Python 2.5.or 2.6 is recommended. See the changelog at for more details. Mailman is free software for managing email mailing lists and e-newsletters. Mailman is used for all the python.org and SourceForge.net mailing lists, as well as at hundreds of other sites. For more information, please see: http://www.list.org http://www.gnu.org/software/mailman Mailman 2.1.14rc1 can be downloaded from https://launchpad.net/mailman/2.1/ http://ftp.gnu.org/gnu/mailman/ - -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFMiVTzVVuXXpU7hpMRAoOBAJ9toQK+LGWfIW0GQ3bwGd7oQlDUJACfe+8a wyxtS0VdLRJfjicrVGewmyA= =uGQl -----END PGP SIGNATURE----- From mark at msapiro.net Mon Sep 20 21:32:39 2010 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 20 Sep 2010 12:32:39 -0700 Subject: [Mailman-Announce] Mailman 2.1.14 released. Message-ID: <4C97B6D7.8040904@msapiro.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am happy to announce the final release of GNU Mailman 2.1.14. Mailman 2.1.14 is mainly a bug fix release, but it contains one security fix as previously announced at and one new feature. It differs from the previously released 2.1.14rc1 only in wording clarifications and typo corrections in a few messages. This new feature controls the addition/replacement of the Sender: header in outgoing mail. This allows a list owner to set include_sender_header on the list's General Options page in the admin GUI. The default for this setting is Yes which preserves the prior behavior of removing any pre-existing Sender: and setting it to the list's -bounces address. Setting this to No stops Mailman from adding or modifying the Sender: at all. Additionally, there is a new Defaults.py/mm_cfg.py setting ALLOW_SENDER_OVERRIDES which defaults to Yes but which can be set to No to remove the include_sender_header setting from General Options, and thus preserve the prior behavior completely. Python 2.4 is the minimum supported, but Python 2.5.or 2.6 is recommended. See the changelog at for more details. Mailman is free software for managing email mailing lists and e-newsletters. Mailman is used for all the python.org and SourceForge.net mailing lists, as well as at hundreds of other sites. For more information, please see: http://www.list.org http://www.gnu.org/software/mailman Mailman 2.1.14 can be downloaded from https://launchpad.net/mailman/2.1/ http://ftp.gnu.org/gnu/mailman/ - -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFMl7bXVVuXXpU7hpMRAtKyAJ4hnS08i71tx9nx1iG9wkGI9FalggCgqjnF 3CvTQeW7TOY76+u/KBNBGuM= =we0d -----END PGP SIGNATURE----- From barry at list.org Tue Sep 21 00:24:22 2010 From: barry at list.org (Barry Warsaw) Date: Mon, 20 Sep 2010 18:24:22 -0400 Subject: [Mailman-Announce] RELEASED: Mailman 3.0 alpha 6 Message-ID: <20100920182422.7d88704f@mission> I happy (and somewhat relieved :) to announce the release of the sixth alpha for Mailman 3.0. There is much new coolness that you will want to explore. The biggest change is that the administrative REST API has been greatly improved and is now reasonably well fleshed out. You can create and delete domains and mailing lists, subscribe and unsubscribe members, and reconfigure your mailing lists through the REST API. The documentation has specific examples of how to do it. This means that you can actually start to try to integrate Mailman with your web sites. The big push between now and the first beta will be to complete the import of Mailman 2.1 data, and integrate it with the UI work done by Anna and Florian for the GSoC. The tarball can be downloaded from Launchpad or the Cheeseshop: https://edge.launchpad.net/mailman http://pypi.python.org/pypi/mailman/3.0.0a6 The full documentation is also available online: http://packages.python.org/mailman/docs/README.html See below for the changes since alpha 5. Please note that Mailman 3 is not yet ready for production, although we'd love it if you test it and provide feedback! Enjoy, -Barry 3.0 alpha 6 -- "Cut to the Chase" ================================= (2010-09-20) Commands -------- * The functionality of 'bin/list_members' has been moved to 'bin/mailman members'. * 'bin/mailman info' -v/--verbose output displays the file system layout paths Mailman is currently configured to use. Configuration ------------- * You can now configure the paths Mailman uses for queue files, lock files, data files, etc. via the configuration file. Define a file system 'layout' and then select that layout in the [mailman] section. Default layouts include 'local' for putting everything in /var/tmp/mailman, 'dev' for local development, and 'fhs' for Filesystem Hierarchy Standard 2.3 (LP #490144). * Queue file directories now live in $var_dir/queues. REST ---- * lazr.restful has been replaced by restish as the REST publishing technology used by Mailman. * New REST API for getting all the members of a roster for a specific mailing list. * New REST API for getting and setting a mailing list's configuration. GET and PUT are supported to retrieve the current configuration, and set all the list's writable attributes in one request. PATCH is supported to partially update a mailing list's configuration. Individual options can be set and retrieved by using subpaths. * Subscribing an already subscribed member via REST now returns a 409 HTTP error. LP: #552917 * Fixed a bug when deleting a list via the REST API. LP: #601899 Architecture ------------ * X-BeenThere header is removed. * Mailman no longer touches the Sender or Errors-To headers. * Chain actions can now fire Zope events in their _process() implementations. * Environment variable $MAILMAN_VAR_DIR can be used to control the var/ directory for Mailman's runtime files. New environment variable $MAILMAN_UNDER_MASTER_CONTROL is used instead of the qrunner's --subproc/-s option. Miscellaneous ------------- * Allow X-Approved and X-Approve headers, equivalent to Approved and Approve. LP: #557750 * Various test failure fixes. LP: #543618, LP: #544477 * List-Post header is retained in MIME digest messages. LP: #526143 * Importing from a Mailman 2.1.x list is partially supported. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: not available URL: