Hello community,
here is the log from the commit of package mailman for openSUSE:Factory checked
in at 2018-06-27 10:23:26
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/mailman (Old)
and /work/SRC/openSUSE:Factory/.mailman.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mailman"
Wed Jun 27 10:23:26 2018 rev:40 rq:619324 version:2.1.27
Changes:
--------
--- /work/SRC/openSUSE:Factory/mailman/mailman.changes 2018-03-20
22:00:25.601538051 +0100
+++ /work/SRC/openSUSE:Factory/.mailman.new/mailman.changes 2018-06-27
10:23:30.839459001 +0200
@@ -1,0 +2,39 @@
+Wed Jun 27 06:15:05 UTC 2018 - lie...@rz.uni-mannheim.de
+
+- update to 2.1.27
+ * Existing protections against malicious listowners injecting evil
+ scripts into listinfo pages have had a few more checks added.
+ JVN#00846677/JPCERT#97432283/CVE-2018-0618
+ * A few more error messages have had their values HTML escaped.
+ JVN#00846677/JPCERT#97432283/CVE-2018-0618
+ * The hash generated when SUBSCRIBE_FORM_SECRET is set could have been
+ the same as one generated at the same time for a different list and
+ IP address. While this is not thought to be exploitable in any way,
+ the generation has been changed to avoid this.
+ * An option has been added to bin/add_members to issue invitations
+ instead of immediately adding members.
+ * A new BLOCK_SPAMHAUS_LISTED_IP_SUBSCRIBE setting has been added to
+ enable blocking web subscribes from IPv4 addresses listed in Spamhaus
+ SBL, CSS or XBL. It will work with IPv6 addresses if Python's
+ py2-ipaddress module is installed. The module can be installed via pip
+ if not included in your Python.
+ * Mailman has a new 'security' log and logs
+ authentication failures to the various web CGI functions. The logged
+ data include the remote IP and can be used to automate blocking of IPs
+ with something like fail2ban. Since Mailman 2.1.14, these have returned
+ an http 401 status and the information should be logged by the web
+ server, but this new log makes that more convenient. Also, the
+ 'mischief' log entries for 'hostile listname' noe include the remote IP
+ if available.
+ * admin notices of (un)subscribes now may give
+ the source of the action. This consists of a %(whence)s replacement
+ that has been added to the admin(un)subscribeack.txt templates. Thanks
+ to Yasuhito FUTATSUKI for updating the non-English templates and help
+ with internationalizing the reasons.
+ * there is a new
+ BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE setting to enable blocking web
+ subscribes for addresses in domains listed in the Spamhaus DBL.
+ * i18n & Bugfixes
+ * for further details see NEWS
+
+-------------------------------------------------------------------
Old:
----
mailman-2.1.26.tgz
mailman-2.1.26.tgz.sig
New:
----
mailman-2.1.27.tgz
mailman-2.1.27.tgz.sig
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ mailman.spec ++++++
--- /var/tmp/diff_new_pack.9fzP6D/_old 2018-06-27 10:23:31.715427061 +0200
+++ /var/tmp/diff_new_pack.9fzP6D/_new 2018-06-27 10:23:31.719426915 +0200
@@ -26,7 +26,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: mailman
-Version: 2.1.26
+Version: 2.1.27
Release: 0
Summary: The GNU Mailing List Manager
License: GPL-2.0-or-later
++++++ mailman-2.1.26.tgz -> mailman-2.1.27.tgz ++++++
/work/SRC/openSUSE:Factory/mailman/mailman-2.1.26.tgz
/work/SRC/openSUSE:Factory/.mailman.new/mailman-2.1.27.tgz differ: char 5, line
1
