[Mailman-Users] Mailman 2.1.28 Security Release

2018-07-23 Thread Mark Sapiro 
I am pleased to announce the release of Mailman 2.1.28.

Python 2.6 is the minimum supported, but Python 2.7 is strongly recommended.

This is a minor security fix release. It also has some i18n updates and
a couple of bug fixes and adds the ability to edit list specific
templates through the web admin UI in a supported language other than
the list's default. See the attached README.txt for details.

For details of the security issue, see the report at
 which also includes a
patch for those who want to fix this issue without upgrading.

Mailman is free software for managing email mailing lists and
e-newsletters. Mailman is used for all the python.org and
SourceForge.net mailing lists, as well as at hundreds of other sites.

For more information, please see our web site at one of:

http://www.list.org
https://www.gnu.org/software/mailman
http://mailman.sourceforge.net/
https://mirror.list.org/

Mailman 2.1.28 can be downloaded from

https://launchpad.net/mailman/2.1/
https://ftp.gnu.org/gnu/mailman/
https://sourceforge.net/projects/mailman/

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
2.1.28 (23-Jul-2018)

  Security
 
- A content spoofing vulnerability with invalid list name messages in
  the web UI has been fixed.  CVE-2018-13796  (LP: #1780874)

  New Features

- It is now possible to edit HTML and text templates via the web admin
  UI in a supported language other than the list's preferred_language.
  Thanks to Yasuhito FUTATSUKI.

  i18n

- The Japanese translation has been updated by Yasuhito FUTATSUKI.

- The German translation has been updated by Ralf Hildebrandt.

- The Esperanto translation has been updated by Rubén Fernández Asensio.

  Bug fixes and other patches

- The BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE feature added in 2.1.27 was
  not working.  This is fixed.  (LP: #1779774)

- Escaping of HTML entities for the web UI is now done more selectively.
  (LP: #1779445)



signature.asc
Description: OpenPGP digital signature
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] ARC, was non-subscribers getting through--email address in "Real Name"

2018-07-23 Thread John Levine 
In article  
you write:
>On Sun, Jul 22, 2018 at 3:18 PM Grant Taylor via Mailman-Users <
>mailman-users@python.org> wrote:
>
>> On 07/21/2018 02:24 PM, John Levine wrote:
>> > I know people working on whiteish lists to use with ARC, to say that
>> > these domain are known to host real mailing lists so you should believe
>> > their ARC assertions.
>
>Why not just have that list, and a X-Trust-Me: YES header? It would be much
>simpler to implement than ARC.

There turns out to be an actual answer to this question, which I have
asked people from Google.

When someone gets his address book stolen from his botted PC, spamware
will send spam to everyone in his address book using his address on
the From: line.  If some of those addresses are lists, those lists
will generally forward the spam even though they are otherwise legit.

Google tells me this happens often enough that they can't just
whitelist mailing lists, and ARC gives them the clues to tell
forwarded bot spam from forwarded real mail.  I've certainly seen
it both on lists I run and lists I subscribe to.

As I said a few messages ago, if lists did more stringent tests on
incoming mail, a lot of this complexity could be avoided, but they
don't so it can't.

R's,
John
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] ARC, was non-subscribers getting through--email address in "Real Name"

2018-07-23 Thread Joseph Brennan 
On Sun, Jul 22, 2018 at 3:18 PM Grant Taylor via Mailman-Users <
mailman-users@python.org> wrote:

> On 07/21/2018 02:24 PM, John Levine wrote:
> > I know people working on whiteish lists to use with ARC, to say that
> > these domain are known to host real mailing lists so you should believe
> > their ARC assertions.
>

Why not just have that list, and a X-Trust-Me: YES header? It would be much
simpler to implement than ARC.

Joseph Brennan
Columbia University I T
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org