[Hosting] Mailman 2.0.8 is live

Christian J Hedemark hosting.a.t.trilug.org
Sun, 2 Dec 2001 21:51:04 -0500


I have a backup of the old install in my home dir on fatalpha if something
goes terrible wrong (which the SC has access to).  But I did some quick
tests of mail & web interfaces and it all looked good.  We're up from 2.0.5.
This was mostly for security purposes.

Here is a history of user visible changes to Mailman.

2.0.8 (27-Nov-2001)

    Security fix release to prevent cross-site scripting exploits.
    See http://www.cert.org/advisories/CA-2000-02.html for a
    description of the general problem (not Mailman specific).

2.0.7 (09-Nov-2001)

    Security fixes:

    - Closed a hole in cookie management whereby some carefully
      crafted untrusted cookie data could crash Mailman if used with
      Python 1.5.2, or cause some unintended class constructors to be
      run on the server.

    - In the DSN.py bounce handler, a message that was DSN-like, but
      which was missing a "report-type" parameter could cause a
      non-deletable bounce message to crash Mailman forever, requiring
      manual intervention.

    Bug fixes:

    - Stray % signs in headers and footers could cause crashes.  Now
      they'll just cause an [INVALID HEADER] or [INVALID FOOTER]
      string to be added.

    - The mail->news gateway has been made more robust in the face of
      duplicate headers, and reserved headers that some news servers
      reject.  If the message is still rejected, it is saved in
      $prefix/nntp instead of discarded.

    - Hand-crafted invalid chunk number in membership management
      display could cause a traceback.

2.0.6 (25-Jul-2001)

    Security fix:

    - Fixed a potential security hole which could allow access to list
      administrative features by unauthorized users.  If there is an
      empty data/adm.pw file (the site password file), then any
      password will be accepted as the list administrative password.
      This exploit is caused by a common "bug" in the crypt() function
      suffered by several Unix distributions, including at least
      GNU/Linux and Solaris.  Given a salt string of length zero,
      crypt() always returns the empty string.

      In lieu of applying this patch, sites can run bin/mmsitepass and
      ensure that data/adm.pw is of length 2 or greater.

    Bug fixes:

    - Ensure that even if DEFAULT_URL is misconfigured in mm_cfg.py
      (i.e. is missing a trailing slash), it is always fixed upon list
      creation.

    - Check for administrivia holds before any other tests.

    - SF bugs fixed: 407666, 227694

    - Other miscellaneous buglets fixed.