2008年4月23日

[installer 1509] mailman-2.1.10

mailman-2.1.10 出ています。

XSS の修正が含まれています。
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0564
参照のこと。

☆ mailman-2.1.10
http://www.gnu.org/software/mailman/

http://ftp.gnu.org/gnu/mailman/mailman-2.1.10.tgz
ftp://ftp.gnu.org/gnu/mailman/mailman-2.1.10.tgz

2.1.10 (21-Apr-2008)

Security

- The 2.1.9 fixes for CVE-2006-3636 were not complete. In particular,
some potential cross-site scripting attacks were not detected in
editing templates and updating the list's info attribute via the web
admin interface. This has been assigned CVE-2008-0564 and has been
fixed. Thanks again to Moritz Naumann for assistance with this.

- There is a new mm_cfg.py/Defaults.py variable
OWNERS_CAN_CHANGE_MEMBER_PASSWORDS which controls whether the list
owner can change a member's password from the member's options page.
This defaults to No and should be changed to Yes only if list owners
are trusted to not change a member's password, log in as the member
and make global membership changes.

New Features

- Changed cmd_who.py to list all members if authorization is with the
list's admin or moderator password and to accept the password if the
roster is public. Also changed the web roster to show hidden members
when authorization is by site or list's admin or moderator password
(1587651).

- Added the ability to put a list name in accept_these_nonmembers
to accept posts from members of that list (1220144).

- Added a new 'sibling list' feature to exclude members of another list
from receiving a post from this list if the other list is in the To: or
Cc: of the post or to include members of the other list if that list is
not in the To: or Cc: of the post (Patch ID 1347962).

- Added the admin_member_chunksize attribute to the admin General Options
interface (Bug 1072002, Partial RFE 782436).

Internationalization

- Added the Hebrew translation from Dov Zamir. This includes addition of
a direction ('ltr', 'rtl') to the LC_DESCRIPTIONS table. The
add_language() function defaults direction to 'ltr' to not break
existing mm_cfg.py files.

- Added the Slovak translation from Martin Matuska.

- Added the Galician translation from Frco. Javier Rial Rodr秔uez.

Bug fixes and other patches

- Added bounce recognition for several additional bounce formats.

- Fixed CommandRunner.py to decode a quoted-printable or base64 encoded
message part (1829061).

- Fixed Scrubber.py to avoid loss of an implicit text/plain message part
with no Content-* headers in a MIME multipart message (759841). Fixed
several other minor scrubber issues (1242450).

- Added Date and Message-ID headers to the confirm reply message that
Mailman adds to the admin notification (1471318).

- Fixed Cgi/options.py to not present the "empty" topic to user.

- Fixed Handlers/CalcRecips.py to not process topics if topics are
disabled for the list. This caused users who had previously subscribed
to topics and elected to not receive non-matching posts to receive no
messages after topics were disabled for the list.

- Fixed MaildirRunner.py to handle hyphenated list names.

- Fixed a bug in MimeDel.py (content filtering) which caused
*_filename_extensions to not match if the extension in the message was
not all lower case.

- Fixed versions.py to not call a non-existant method when converting held
posts from Mailman 1.0.x lists.

- Added a test to configure to detect a missing python-devel package on
some RedHat systems.

- Fixed bin/dumpdb to once again be able to dump marshals (broken since
2.1.5) (963137).

- Worked around a bug in the Python email library that could cause Mailman
to not get the correct value for the sender of a message from an RFC
2231 encoded header causing spurious held messages.

- Fixed bin/check_perms to detect certain missing permissions on the
archives/private/ and archives/private/<list>/database/ directories.

- Improved exception handling in cron/senddigests.

- Changed the admindb page to not show the "Discard all messages marked
Defer" checkbox when there are only (un)subscribes and no held messages.
Also added a separator and heading for "Held Messages" like the ones for
"Subscribe Requests" and "Unsubscribe Requests". Suppressed the
"Database Updated" message when coming from the login page. Also
removed the "Discard all messages marked Defer" checkbox from the
details page where it didn't work (1562922, 1000699).

- Fixed admin.py so null VARHELP category is handled (1573393).

- Fixed OldStyleMemberships.py to preserve delivery statuses BYADMIN
and BYUSER on a straight change of address (1642388). Also fixed a
bug that could result in a member key with uppercase in the domain.

- Fixed bin/withlist so that -r can take a full package path to a
callable.

- Removal of DomainKey/DKIM signatures is now controlled by Defaults.py
mm_cfg.py variable REMOVE_DKIM_HEADERS (default = No). Also, if
REMOVE_DKIM_HEADERS = Yes, an Authentication-Results: header will be
removed if present.

- The DeprecationWarning issued by Python 2.5 regarding string exceptions
is supressed.

- format=flowed and delsp=yes are now preserved for message bodies when
message headers/footers are added and attachments are scrubbed
(1495122).

- Queue runner processing is improved to log and preserve for analysis in
the shunt queue certain bad queue entries that were previously logged
but lost. Also, entries are preserved when an attempt to shunt throws
an exception (1656289).

- The admin Membership List pages have been changed in that the email
address which forms a part of the various CGI data keys is now
urllib.quote()ed. This allows changing options for and unsubbing an
address which contains a double-quote character, but it may require
changes to scripts that screen-scrape the web admin interface to
produce a membership list so they will report an unquoted address.

- The fix for bug 1181161 in 2.1.7 was incomplete. The Approve(d): line
wasn't always found in quoted-printable encoded parts and was never
found in base64 encoded parts. This is now fixed.

- Fixed a mail loop if a list owner puts the list's -bounces or -admin
address in the list's owner attribute (1834569).

- Fixed the mailto: link in archived messages to prefix the subject with
Re: and to put the correct message-id in In-Reply-To (1621278, 1834281).

- Coerced list name arguments to lower case in the change_pw, inject,
list_admins and list_owners command line tools (patch 1842412).

- Fixed cron/disabled to test if bounce info is stale before disabling
a member when the threshold has been reduced.

- It wasn't noted here, but in 2.1.9, queue runner processing was made
more robust by making backups of queue entries when they were dequeued
so they could be recovered in the event of a system failure. This
opened the possibility that if a message itself caused a runner to
crash, a loop could result that would endlessly reprocess the message.
This has now been fixed by adding a dequeue count to the entry and
moving the entry aside and logging the fact after the third dequeue of
the same entry.

- Fixed the command line scripts add_members, sync_members and
clone_member to properly handle banned addresses (1904737).

- Fixed bin/newlist to add the list's preferred language to the list's
available_languages if it is other than the server's default language
(1906368).

- Changed the first URL in the RFC 2369 List-Unsubscribe: header to go
to the options login page instead of the listinfo page.

- Changed the options login page to not issue the "No address given" error
when coming from the List-Unsubscribe and other direct links. Also
changed to remember the user's language selection when redisplaying the
page following an error.

- Changed cmd_subscribe.py to properly accept (no)digest without a
password and to recognize (no)digest and address= case insensitively.

- Fixed a problem where GuiBase._getValidValue() would truncate a
floating point Number type to an int if the value was a float instead
of a numeric string. This affected setting floating point values with
config_list.

Miscellaneous

- Brad Knowles' mailman daily status report script updated to 0.0.17.

- An updated mm-handler (mm-handler-2.1.10) that can help reduce
backscatter has been added to the contrib directory.

----
こがよういちろう


投稿者 xml-rpc : 2008年4月23日 10:44
役に立ちました?:
過去のフィードバック 平均:(0) 総合:(0) 投票回数:(0)
本記事へのTrackback: http://hoop.euqset.org/blog/mt-tb2006.cgi/72475
トラックバック
コメント
コメントする




画像の中に見える文字を入力してください。