info-gnu
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RELEASE Mailman 2.0.7


From: Barry A. Warsaw
Subject: RELEASE Mailman 2.0.7

I've just released version 2.0.7 of Mailman, the GNU Mailing List
Manager.  Mailman is released under the GNU General Public License
(GPL).  Version 2.0.7 closes two potential security /
denial-of-service problems in the Mailman 2.0.x series, and includes a
few other minor bug fixes.

- If you are running Python 1.5.2, it is possible for someone to
  carefully craft some cookie data, and then trick Mailman into
  accepting that data, that will crash your Python interpreter.

  If you are not running Python 1.5.2, you should be invulnerable to
  the crash, however it is still possible for someone to even more
  carefully craft some cookie data that could cause arbitrary class
  constructors to be executed on the server.

  Mailman 2.0.7 closes this hole by disabling the Cookie.py module's
  default unpickling of cookie data.

- It is possible that Mailman's bounce handler could receive a bounce
  message that looked like a DSN report, but was incorrectly
  formatted.  Under Mailman 2.0.6's bounce detector, you would get a
  traceback for a message that would never be removed from the queue,
  thus potentially wedging your qrunner until the offending message
  was manually deleted.

  Mailman 2.0.7 fixes the DSN.py bounce detector.

There are a few other useful bug fixes in this release, described in
the NEWS excerpt below.  I recommend anybody running a version of
Mailman up to, and including 2.0.6 to upgrade to 2.0.7.

GNU Mailman is software to help manage electronic mail discussion
lists.  Mailman gives each mailing list a unique web page and allows
users to subscribe, unsubscribe, and change their account options over
the web.  Even the list manager can administer his or her list
entirely via the web.  Mailman has most of the features that people
want in a mailing list management system, including built-in
archiving, mail-to-news gateways, spam filters, bounce detection,
digest delivery, and so on.

Mailman is compatible with most web servers, web browsers, and mail
servers.  It runs on GNU/Linux and should run on any other Unix-like
operating system.  Mailman 2.0.7 requires Python 1.5.2 or newer.  To
install Mailman from source, you will need a C compiler.

For more information on Mailman, including links to file downloads,
please see the Mailman WWW page: http://www.gnu.org/software/mailman

And its mirrors at:

    http://mailman.sourceforge.net
    http://www.list.org

(Note: not all of the mirrors are updated yet.)

Downloads are available at

    http://sourceforge.net/project/showfiles.php?group_id=103&release_id=60758

There are email lists (managed by Mailman, of course!) for both
Mailman users and developers.  See the web sites above for details.

Cheers,
-Barry

-------------------- snip snip --------------------
2.0.7 (09-Nov-2001)

    Security fixes:

    - Closed a hole in cookie management whereby some carefully
      crafted untrusted cookie data could crash Mailman if used with
      Python 1.5.2, or cause some unintended class constructors to be
      run on the server.

    - In the DSN.py bounce handler, a message that was DSN-like, but
      which was missing a "report-type" parameter could cause a
      non-deletable bounce message to crash Mailman forever, requiring
      manual intervention.

    Bug fixes:

    - Stray % signs in headers and footers could cause crashes.  Now
      they'll just cause an [INVALID HEADER] or [INVALID FOOTER]
      string to be added.

    - The mail->news gateway has been made more robust in the face of
      duplicate headers, and reserved headers that some news servers
      reject.  If the message is still rejected, it is saved in
      $prefix/nntp instead of discarded.

    - Hand-crafted invalid chunk number in membership management
      display could cause a traceback.




reply via email to

[Prev in Thread] Current Thread [Next in Thread]