headers
Barry A. Warsaw | 13 Jul 2001 22:15

[ANNOUNCE] Mailman 2.1 alpha 2

This the official announcement for Mailman 2.1 alpha 2.  Because it's
an alpha, this announcement is only going out to the mailman-* mailing
lists.  I'll make two warnings: you probably should still not use this
version for production systems (but TIA for any and all testing you do
with it!), and I've already had a couple of bug fixes from early
adopters.  2.1a2 should still be useful, but you might want to keep an
eye on cvs and the mailman-checkins list for updates.

I am only making the tarball available on SourceForge, so you'll need
to go to http://sf.net/projects/mailman to grab it.  You'll also need
to upgrade to mimelib-0.4, so be sure to go to
http://sf.net/projects/mimelib to grab and install that tarball first.

To view the on-line documentation, see

    http://www.list.org/MM21/index.html

or

    http://mailman.sf.net/MM21/index.html

Below is an excerpt from the NEWS file for all the changes since
2.1alpha1.  There are a bunch of new features coming down the pike,
and I hope to have an alpha3 out soon.  I'm also planning on doing
much more stress testing of this version with real list traffic, and
I'm hoping we'll start to get more languages integrated into cvs.

Enjoy,
-Barry
(Continue reading)

Permalink | Reply | 0 comments |
headers
Barry A. Warsaw | 25 Jul 2001 21:54

ANNOUNCE Mailman 2.0.6

Folks,

I've just released Mailman 2.0.6 which fixes a potential security
problem in Mailman 2.0.x, and includes a few other minor bug fixes.

It is possible, although unlikely, that you could have an empty site
password, or an empty list password.  Because of peculiarities in the
Unix crypt() function, such empty passwords could allow unauthorized
access to the list administrative pages with an arbitrary password
string.  This situation does not occur normally, but it is possible to
create it by accident (e.g. by touch'ing data/adm.pw).

This patch ensures that such empty passwords do not allow unauthorized
access, by first checking to make sure that the salt is at least 2
characters in length.  Alternatively, you can make sure that either
data/adm.pw does not exist or that it is not empty.  For the extra
paranoid, you'd need to be sure that none of your lists have empty
passwords, but that's an even more difficult situation to create by
accident.

This patch guards against both situations.  Please note that Mailman
2.1alpha is not vulnerable to this problem because it does not use
crypt().

A few other minor bugs have been fixed; see the NEWS excerpt below for
details.

As usual, I'm releasing this as both a complete tarball and as a patch
against Mailman 2.0.5.  You /must/ update your source to 2.0.5 before
applying the 2.0.6 patch.  Since the patch is small, I'm including it
(Continue reading)

Permalink | Reply | 0 comments |

Gmane