Mailman mailing list management announcements

Barry A. Warsaw | 9 Nov 2001 23:41

RELEASE Mailman 2.0.7

Hi all,

I'm releasing Mailman 2.0.7 which fixes two potential, though obscure
security or denial-of-service attacks, along with a few other minor
bug fixes.  Details:

- If you are running Python 1.5.2, it is possible for someone to
  carefully craft some cookie data, and then trick Mailman into
  accepting that data, that will crash your Python interpreter.

  If you are not running Python 1.5.2, you should be invulnerable to
  the crash, however it is still possible for someone to even more
  carefully craft some cookie data that could cause arbitrary class
  constructors to be executed on the server.

  While I believe it is difficult to exploit this, Mailman 2.0.7
  closes this hole completely, by disabling the Cookie.py module's
  default unpickling of cookie data.

- It is possible that Mailman's bounce handler could receive a bounce
  message that looked like a DSN report, but was incorrectly
  formatted.  Under Mailman 2.0.6's bounce detector, you would get a
  traceback for a message that would never be removed from the queue,
  thus potentially wedging your qrunner until the offending message
  was manually deleted.

  Mailman 2.0.7 fixes the DSN.py bounce detector.

There are a few other useful bug fixes in this release, described in
the NEWS excerpt below.  I recommend anybody running a version of

(Continue reading)

headers

Barry A. Warsaw | 28 Nov 2001 05:31

RELEASE Mailman 2.0.8

Hot on the heels of Mailman 2.0.7, I'm now releasing 2.0.8 which fixes
several cross-site scripting security holes, and a few other minor bug
fixes.  More information on cross-site scripting exploits in general
can be found at

    http://www.cert.org/advisories/CA-2000-02.html

I recommend anybody running a version of Mailman up to, and including
2.0.7 to upgrade to version 2.0.8.

I've made both full source tarballs and patches available.  Actually,
patches going all the way back to 2.0 are now available on
SourceForge.  See

    http://sourceforge.net/project/showfiles.php?group_id=103

for links to download all the patches and the source tarball.  If you
decide to install the patches, please do read the release notes first:

    http://sourceforge.net/project/shownotes.php?release_id=63042

Currently the SourceForge and www.list.org sites are up-to-date, and I
expect the gnu.org site to be updated soon.

See also:

    http://www.gnu.org/software/mailman
    http://www.list.org
    http://mailman.sf.net

(Continue reading)


Mon	Tue	Wed	Thu	Fri	Sat	Sun
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30

Mon

Tue

Wed

Thu

Fri

Sat

Sun

1	November 2012
1	June 2012
1	May 2012
1	April 2012
1	March 2012
1	September 2011
2	July 2011
2	April 2011
1	March 2011
2	February 2011
1	January 2011
6	September 2010
1	May 2010
1	April 2010
4	March 2010
3	January 2010
2	December 2009
1	November 2009
2	August 2009
2	April 2009
1	March 2009
3	February 2009
4	January 2009
3	September 2008
2	August 2008
4	July 2008
5	June 2008
8	April 2008
4	March 2008
3	February 2008
1	December 2007
3	November 2007
1	September 2007
1	February 2007
3	September 2006
2	April 2006
3	October 2005
1	June 2005
2	May 2005
1	April 2005
1	February 2005
2	January 2005
1	December 2004
1	May 2004
2	April 2004
1	March 2004
2	February 2004
2	December 2003
2	November 2003
1	October 2003
1	September 2003
1	July 2003
3	April 2003
2	February 2003
1	January 2003
3	December 2002
1	November 2002
2	October 2002
2	August 2002
3	July 2002
2	May 2002
2	April 2002
2	March 2002
2	February 2002
3	January 2002
2	November 2001
1	October 2001
2	July 2001
1	May 2001
1	April 2001
3	March 2001
1	January 2001
3	November 2000
2	October 2000
1	September 2000
1	August 2000
1	July 2000
2	June 2000
1	May 2000
1	April 2000
2	March 2000
1	January 2000
1	November 1999
2	July 1999
1	June 1999
1	May 1999
1	March 1999