[Mailman-Users] Mailman 2.1.26 Security release Feb 4, 2018

[Mark Sapiro]

An XSS vulnerability in the Mailman 2.1 web UI has been reported and
assigned CVE-2018-5950 which is not yet public.

I plan to release Mailman 2.1.26 along with a patch for older releases
to fix this issue on Feb 4, 2018. At that time, full details of the
vulnerability will be public.

This is advance notice of the upcoming release and patch for those that
need a week or two to prepare. The patch will be small and only affect
one module.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan



signature.asc
Description: OpenPGP digital signature
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Reply-to options not working

[Mark Sapiro]

On 01/20/2018 10:18 AM, Hal via Mailman-Users wrote:
> I'm a little confused about the "reply-to" setting as I was pretty sure
> I had set my list up so that all replies by default go back to the list,
> but for some reason a reply goes directly to the sender.


If you set "reply_goes_to_list" to "this list", "reply_to_address" is
ignored, and Mailman adds the list posting address to a Reply-To: header
in the outgoing mail. If there is an incoming Reply-To: and
"first_strip_reply_to" is "no" the address is added to the incoming
Reply-To:. If there is no incoming Reply-To: or "first_strip_reply_to"
is "yes", the address is the only address in the outgoing Reply-To:.

If "reply_goes_to_list" is "explicit address" then "reply_to_address" is
added rather than the list posting address. If "reply_to_address" is the
list posting address, then it's the same as "this list".

What actually happens with "reply" depends on a few things. If the mail
client involved is Thunderbird, it doesn't behave as expected. See
. In short, in
recent T'bird if the message has a List-Post: header and T'bird offers a
"Reply List" button, "Reply" will ignore Reply-To: if it's the list
address and reply to the From:. In more recent T'bird, you can restore
the expected behavior be setting mail.override_list_reply_to False in
the config editor (see
), but this has to
be done by every list member that uses T'bird.

There are other possibilities, but I think the above is the likely issue
in your case.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] Reply-to options not working

[Hal via Mailman-Users]

I'm a little confused about the "reply-to" setting as I was pretty sure 
I had set my list up so that all replies by default go back to the list, 
but for some reason a reply goes directly to the sender.


I had "reply_goes_to_list" set to "this list" along with the list's 
posting address set for the "reply_to_adress". Since this didn't work 
and I tried to read the details/help for the Mailman web-interface but 
can't seem to figure this out.
I did change the "reply_goes_to_list" setting to "Explicit address" but 
that didn't appear to change anything.

I'm on Mailman 2.1.12.


Hal
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org