I am pleased to announce the release of Mailman 2.1.27. Python 2.6 is the minimum supported, but Python 2.7 is strongly recommended.
This is a routine bug fix release with a few new features and some minor security enhancements. See the attached README.txt for details. Mailman is free software for managing email mailing lists and e-newsletters. Mailman is used for all the python.org and SourceForge.net mailing lists, as well as at hundreds of other sites. For more information, please see our web site at one of: http://www.list.org https://www.gnu.org/software/mailman http://mailman.sourceforge.net/ https://mirror.list.org/ Mailman 2.1.27 can be downloaded from https://launchpad.net/mailman/2.1/ https://ftp.gnu.org/gnu/mailman/ https://sourceforge.net/projects/mailman/ -- Mark Sapiro <[email protected]> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
2.1.27 (22-Jun-2018)
Security
- Existing protections against malicious listowners injecting evil
scripts into listinfo pages have had a few more checks added.
JVN#00846677/JPCERT#97432283
- A few more error messages have had their values HTML escaped.
JVN#00846677/JPCERT#97432283
- The hash generated when SUBSCRIBE_FORM_SECRET is set could have been
the same as one generated at the same time for a different list and
IP address. While this is not thought to be exploitable in any way,
the generation has been changed to avoid this. Thanks to Ralf Jung.
New Features
- An option has been added to bin/add_members to issue invitations
instead of immediately adding members. (LP: #1773064)
- A new BLOCK_SPAMHAUS_LISTED_IP_SUBSCRIBE setting has been added to
enable blocking web subscribes from IPv4 addresses listed in Spamhaus
SBL, CSS or XBL. It will work with IPv6 addresses if Python's
py2-ipaddress module is installed. The module can be installed via pip
if not included in your Python.
- Thanks to Jim Popovitch, Mailman has a new 'security' log and logs
authentication failures to the various web CGI functions. The logged
data include the remote IP and can be used to automate blocking of IPs
with something like fail2ban. Since Mailman 2.1.14, these have returned
an http 401 status and the information should be logged by the web
server, but this new log makes that more convenient. Also, the
'mischief' log entries for 'hostile listname' noe include the remote IP
if available.
- Thanks to Jim Popovitch, admin notices of (un)subscribes now may give
the source of the action. This consists of a %(whence)s replacement
that has been added to the admin(un)subscribeack.txt templates. Thanks
to Yasuhito FUTATSUKI for updating the non-English templates and help
with internationalizing the reasons.
- Thanks to Jim Popovitch, there is a new
BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE setting to enable blocking web
subscribes for addresses in domains listed in the Spamhaus DBL.
i18n
- The Japanese translation has been updated by Yasuhito FUTATSUKI.
- The Russian translation has been updated by Danil Smirnov.
- A partial Esperanto translation has been added. Thanks to
Rubén Fernández Asensio.
- Fixed a '# -*- coding:' line in the Russian message catalog that was
mistakenly translated to Russian. (LP: #1777342)
Bug fixes and other patches
- Some messages from bin/arch were not issued in the charset of the system
locale when DISABLE_COMMAND_LOCALE_CSET is No. Thanks to Yasuhito
FUTATSUKI this is now fixed. (LP: #1768892)
- The message displayed in the browser when accessing a Mailman CGI when
mm_cfg.py can't be imported due to some exception other than ImportError
has been improved. (LP: #1760506)
- The reimplementation of DELIVERY_RETRY_WAIT in 2.1.26 could cause extra
dequeueing and requeueing in the out queue by OutgoingRunner. This is
fixed. (LP: #1762871)
- A Python 2.7 dependency introduced in the ToDigests handler in Mailman
2.1.24 has been removed. (LP: #1755317)
- Bad values in a list's topics will no longer break everything that
might instantiate the list. (LP: #1754516)
- A Python 2.7 dependency introduced with the reCAPTCHA feature in 2.1.26
has been removed. (LP: #1752658)
- The reCAPTCHA feature requires JavaScript. If JavaScript is not enabled,
a message will be displayed on the subscribe form that JavaScript is
required. (LP: #1769374)
- Quoting in the mailman-config command has been changed from double to
single quotes to allow double-quoted parameters. (LP: #1774986)
- Approving a held subscription for a user with a 'different' preferred
language no longer corrupts the results page. (LP: #1777222)
- An issue with garbled descriptions on listinfo and admin overview pages
and the heading of a list's listinfo page due to incompatible character
sets has been fixed thanks to Yasuhito FUTATSUKI.
Miscellaneous
- Added to the contrib directory, a script from Jim Popovitch to generate
Sitemap files for a list's archive.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Mailman-Developers mailing list [email protected] https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
