6179349 2001-03-06 08:53 +0100 /76 rader/ Soos Peter <sp@OSB.HU> Sänt av: joel@lysator.liu.se Importerad: 2001-03-06 18:18 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: mailman-developers@python.org Mottagare: Bugtraq (import) <15763> Ärende: [Mailman-Announce] ANNOUNCE Mailman 2.0.2 (important privacy ------------------------------------------------------------ patch) From: Soos Peter <sp@OSB.HU> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <Pine.LNX.4.30.0103060853010.5499@pimpa.intranet.osb.hu> I've just uploaded the Mailman 2.0.2 release to SourceForge. This is a bug fix release that also fixes a potential privacy hole, which could allow a list administrator to get access to user passwords. Even with those passwords, I believe there's little additional harm that a list admin could do, but still they probably shouldn't have access to those passwords. There are a few other important fixes in this release, so I recommend that all sites running Mailman 2.0 or 2.0.1 should upgrade. As usual I'm releasing this as both a complete tarball and as a patch against Mailman 2.0.1. If you grab the patchfile, you'll want to cd into your 2.0 source, and apply it like so: % patch -p1 < mailman-2.0.1-2.0.2.diff Currently only http://mailman.sourceforge.net is updated, but the list.org and gnu.org sites should be updated soon. The release information on SF is at http://sourceforge.net/project/shownotes.php?release_id=25955 My thanks to Thomas Wouters for his help! Enjoy, -Barry P.S. I'm not sure if I'll have time to release a 2.1 alpha of the I18N stuff before I leave for the Python9 conference. If we get the expected foot of snow between Sunday and Monday, it's a possibility. ;) [From the NEWS file] 2.0.2 (03-Mar-2001) Security fix: - A fix for a potential privacy exploit where a clever list administrator could gain access to user passwords. This doesn't allow them to do much more harm to the user then they normally could, but they still shouldn't have access to the passwords. Bug fixes: - In the admindb page, don't complain when approving a subscription of someone who's already on the list (SF bug #222409 - Thomas Wouters). Also, quote for HTML the Subject: text printed for held messages, otherwise messages with e.g. "Subject: </table>" could royally screw page formatting. - In Netscape.py bounce processor, don't bomb out on ill-formed messages (no semi-colon separating parameters), otherwise mail delivery could grind to a halt. Bug reported by Kambiz Aghaiepour. - Docstring fix bin/newlist to remove mention of "immediate" argument (Thomas Wouters). - Fix for bin/update when PREFIX != VAR_PREFIX (SF bug #229794 -- Thomas Wouters). _______________________________________________ Mailman-announce mailing list Mailman-announce@python.org http://mail.python.org/mailman/listinfo/mailman-announce (6179349) ------------------------------------------