Mailman security patch.

I plan to release a Mailman 2.1.14 candidate release towards the end of
next week (Sept 9 or 10). This release will have enhanced XSS defenses
addressing two recently discovered vulnerabilities. Since release of the
code will potentially expose the vulnerabilities, I plan to publish a
patch against the 2.1.13 base with the fix before actually releasing the
2.1.14 candidate.

I will post the patch to the same 4 lists that this post is being sent
to in the early afternoon, GMT, on September 9.

The vulnerabilities are obscure and can only be exploited by a list
owner, but if you are concerned about them you can plan to install the
patch.

The patch is small (34 line diff), only affects two modules and doesn't
require a Mailman restart to be effective, although I would recommend a
restart as soon as convenient after applying the patch.

--

-- 
Mark Sapiro <mark <at> msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

Re: [Mailman-Announce] Mailman security patch.

On 9/4/2010 5:59 PM, Mark Sapiro wrote:
> I plan to release a Mailman 2.1.14 candidate release towards the end of
> next week (Sept 9 or 10). This release will have enhanced XSS defenses
> addressing two recently discovered vulnerabilities. Since release of the
> code will potentially expose the vulnerabilities, I plan to publish a
> patch against the 2.1.13 base with the fix before actually releasing the
> 2.1.14 candidate.
> 
> I will post the patch to the same 4 lists that this post is being sent
> to in the early afternoon, GMT, on September 9.
> 
> The vulnerabilities are obscure and can only be exploited by a list
> owner, but if you are concerned about them you can plan to install the
> patch.

The patch is attached. Since it only affects the web CGIs, it can be
applied and will be effective without restarting Mailman, although since
it includes a patch to Utils.py which is imported by the qrunners, a
restart of Mailman is advisable as soon as convenient after applying the
patch.

--

-- 
Mark Sapiro <mark <at> msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

=== modified file 'Mailman/Cgi/listinfo.py'
--- Mailman/Cgi/listinfo.py	2010-06-24 04:09:34 +0000

Re: [Mailman-Developers] [Mailman-Announce] Mailman security patch.

On Sep 09, 2010, at 06:46 AM, Mark Sapiro wrote:

>The patch is attached. Since it only affects the web CGIs, it can be
>applied and will be effective without restarting Mailman, although
>since it includes a patch to Utils.py which is imported by the
>qrunners, a restart of Mailman is advisable as soon as convenient
>after applying the patch.

Thanks Mark!
-Barry

Mailman 2.1.14rc1 released.

I am happy to announce the first release candidate for the 2.1.14
release of the 2.1 stable maintenance branch of GNU Mailman.

Mailman 2.1.14rc1 is mainly a bug fix release, but it contains one
security fix as previously announced at
<http://mail.python.org/pipermail/mailman-announce/2010-September/000151.html>
and one new feature.

This new feature controls the addition/replacement of the Sender:
header in outgoing mail. This allows a list owner to set
include_sender_header on the list's General Options page in the
admin GUI. The default for this setting is Yes which preserves the prior
behavior of removing any pre-existing Sender: and setting it to the
list's -bounces address. Setting this to No stops Mailman from adding or
modifying the Sender: at all.

Additionally, there is a new Defaults.py/mm_cfg.py setting
ALLOW_SENDER_OVERRIDES which defaults to Yes but which can be set to No
to remove the include_sender_header setting from General Options, and
thus preserve the prior behavior completely.

Python 2.4 is the minimum supported, but Python 2.5.or 2.6 is recommended.

See the changelog at <https://launchpad.net/mailman/2.1/2.1.14rc1> for
more details.

Mailman is free software for managing email mailing lists and
e-newsletters. Mailman is used for all the python.org and
SourceForge.net mailing lists, as well as at hundreds of other sites.

Mailman 2.1.14 released.

I am happy to announce the final release of GNU Mailman 2.1.14.

Mailman 2.1.14 is mainly a bug fix release, but it contains one
security fix as previously announced at
<http://mail.python.org/pipermail/mailman-announce/2010-September/000151.html>
and one new feature.

It differs from the previously released 2.1.14rc1 only in wording
clarifications and typo corrections in a few messages.

This new feature controls the addition/replacement of the Sender:
header in outgoing mail. This allows a list owner to set
include_sender_header on the list's General Options page in the
admin GUI. The default for this setting is Yes which preserves the prior
behavior of removing any pre-existing Sender: and setting it to the
list's -bounces address. Setting this to No stops Mailman from adding or
modifying the Sender: at all.

Additionally, there is a new Defaults.py/mm_cfg.py setting
ALLOW_SENDER_OVERRIDES which defaults to Yes but which can be set to No
to remove the include_sender_header setting from General Options, and
thus preserve the prior behavior completely.

Python 2.4 is the minimum supported, but Python 2.5.or 2.6 is recommended.

See the changelog at <https://launchpad.net/mailman/2.1/2.1.14> for
more details.

Mailman is free software for managing email mailing lists and