[TriLUG] Mailman 2.0.8 is live

Jon Carnes jonc at nc.rr.com
Sun Dec 2 23:31:38 EST 2001


Here, here, Chris!  Well done!  Looks like a seamless upgrade.

Note to Steering: 2.08 has some known problems with older versions of 
Konquerer.  So if anyone gets an error trying to access the admin 
interface, look at what browser you are using...

Jon (Konquerer rules!...?) Carnes
===
On Sunday 02 December 2001 21:51, Christian J Hedemark wrote:
> I have a backup of the old install in my home dir on fatalpha if
> something goes terrible wrong (which the SC has access to).  But I did
> some quick tests of mail & web interfaces and it all looked good.  We're
> up from 2.0.5. This was mostly for security purposes.
>
> Here is a history of user visible changes to Mailman.
>
> 2.0.8 (27-Nov-2001)
>
>     Security fix release to prevent cross-site scripting exploits.
>     See http://www.cert.org/advisories/CA-2000-02.html for a
>     description of the general problem (not Mailman specific).
>
> 2.0.7 (09-Nov-2001)
>
>     Security fixes:
>
>     - Closed a hole in cookie management whereby some carefully
>       crafted untrusted cookie data could crash Mailman if used with
>       Python 1.5.2, or cause some unintended class constructors to be
>       run on the server.
>
>     - In the DSN.py bounce handler, a message that was DSN-like, but
>       which was missing a "report-type" parameter could cause a
>       non-deletable bounce message to crash Mailman forever, requiring
>       manual intervention.
>
>     Bug fixes:
>
>     - Stray % signs in headers and footers could cause crashes.  Now
>       they'll just cause an [INVALID HEADER] or [INVALID FOOTER]
>       string to be added.
>
>     - The mail->news gateway has been made more robust in the face of
>       duplicate headers, and reserved headers that some news servers
>       reject.  If the message is still rejected, it is saved in
>       $prefix/nntp instead of discarded.
>
>     - Hand-crafted invalid chunk number in membership management
>       display could cause a traceback.
>
> 2.0.6 (25-Jul-2001)
>
>     Security fix:
>
>     - Fixed a potential security hole which could allow access to list
>       administrative features by unauthorized users.  If there is an
>       empty data/adm.pw file (the site password file), then any
>       password will be accepted as the list administrative password.
>       This exploit is caused by a common "bug" in the crypt() function
>       suffered by several Unix distributions, including at least
>       GNU/Linux and Solaris.  Given a salt string of length zero,
>       crypt() always returns the empty string.
>
>       In lieu of applying this patch, sites can run bin/mmsitepass and
>       ensure that data/adm.pw is of length 2 or greater.
>
>     Bug fixes:
>
>     - Ensure that even if DEFAULT_URL is misconfigured in mm_cfg.py
>       (i.e. is missing a trailing slash), it is always fixed upon list
>       creation.
>
>     - Check for administrivia holds before any other tests.
>
>     - SF bugs fixed: 407666, 227694
>
>     - Other miscellaneous buglets fixed.
>
>
> _______________________________________________
> TriLUG mailing list
> http://www.trilug.org/mailman/listinfo/trilug



More information about the TriLUG mailing list