Hello community, here is the log from the commit of package mailman for openSUSE:Factory checked in at 2018-06-27 10:23:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mailman (Old) and /work/SRC/openSUSE:Factory/.mailman.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mailman" Wed Jun 27 10:23:26 2018 rev:40 rq:619324 version:2.1.27 Changes: -------- --- /work/SRC/openSUSE:Factory/mailman/mailman.changes 2018-03-20 22:00:25.601538051 +0100 +++ /work/SRC/openSUSE:Factory/.mailman.new/mailman.changes 2018-06-27 10:23:30.839459001 +0200 @@ -1,0 +2,39 @@ +Wed Jun 27 06:15:05 UTC 2018 - lie...@rz.uni-mannheim.de + +- update to 2.1.27 + * Existing protections against malicious listowners injecting evil + scripts into listinfo pages have had a few more checks added. + JVN#00846677/JPCERT#97432283/CVE-2018-0618 + * A few more error messages have had their values HTML escaped. + JVN#00846677/JPCERT#97432283/CVE-2018-0618 + * The hash generated when SUBSCRIBE_FORM_SECRET is set could have been + the same as one generated at the same time for a different list and + IP address. While this is not thought to be exploitable in any way, + the generation has been changed to avoid this. + * An option has been added to bin/add_members to issue invitations + instead of immediately adding members. + * A new BLOCK_SPAMHAUS_LISTED_IP_SUBSCRIBE setting has been added to + enable blocking web subscribes from IPv4 addresses listed in Spamhaus + SBL, CSS or XBL. It will work with IPv6 addresses if Python's + py2-ipaddress module is installed. The module can be installed via pip + if not included in your Python. + * Mailman has a new 'security' log and logs + authentication failures to the various web CGI functions. The logged + data include the remote IP and can be used to automate blocking of IPs + with something like fail2ban. Since Mailman 2.1.14, these have returned + an http 401 status and the information should be logged by the web + server, but this new log makes that more convenient. Also, the + 'mischief' log entries for 'hostile listname' noe include the remote IP + if available. + * admin notices of (un)subscribes now may give + the source of the action. This consists of a %(whence)s replacement + that has been added to the admin(un)subscribeack.txt templates. Thanks + to Yasuhito FUTATSUKI for updating the non-English templates and help + with internationalizing the reasons. + * there is a new + BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE setting to enable blocking web + subscribes for addresses in domains listed in the Spamhaus DBL. + * i18n & Bugfixes + * for further details see NEWS + +------------------------------------------------------------------- Old: ---- mailman-2.1.26.tgz mailman-2.1.26.tgz.sig New: ---- mailman-2.1.27.tgz mailman-2.1.27.tgz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mailman.spec ++++++ --- /var/tmp/diff_new_pack.9fzP6D/_old 2018-06-27 10:23:31.715427061 +0200 +++ /var/tmp/diff_new_pack.9fzP6D/_new 2018-06-27 10:23:31.719426915 +0200 @@ -26,7 +26,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: mailman -Version: 2.1.26 +Version: 2.1.27 Release: 0 Summary: The GNU Mailing List Manager License: GPL-2.0-or-later ++++++ mailman-2.1.26.tgz -> mailman-2.1.27.tgz ++++++ /work/SRC/openSUSE:Factory/mailman/mailman-2.1.26.tgz /work/SRC/openSUSE:Factory/.mailman.new/mailman-2.1.27.tgz differ: char 5, line 1