To: python-list@python.org Subject: ANNOUNCE Mailman 2.0.2 (important privacy patch) From: barry@digicool.com (Barry A. Warsaw) Date: Sat, 3 Mar 2001 03:39:57 -0500 I'm please to announce the 2.0.2 release of Mailman, the GNU Mailing List Manager. Mailman is released under the GNU General Public License (GPL). Version 2.0.2 is an important bug fix release that also fixes a potential privacy hole, which could allow a list administrator to get access to user passwords. Even with those passwords, I believe there's little additional harm that a list admin could do, but still they probably shouldn't have access to those passwords. There are a few other important fixes in this release, so I recommend that all sites running Mailman 2.0 or 2.0.1 should upgrade. Mailman 2.0.2 is being released as both a gzip'd source tarball and as a patchfile. Mailman is software to help manage electronic mail discussion lists, much like Majordomo or Smartmail. Mailman gives each mailing list a unique web page and allows users to subscribe, unsubscribe, and change their account options over the web. Even the list manager can administer his or her list entirely via the web. Mailman has most of the features that people want in a mailing list management system, including built-in archiving, mail-to-news gateways, spam filters, bounce detection, digest delivery, and so on. Mailman is compatible with most web servers, web browsers, and mail servers. It should run on any Unix-like operating system. Mailman 2.0.2 requires Python 1.5.2 or newer. To install Mailman from source, you will need a C compiler. For more information on Mailman, including links to file downloads, please see the following mirrors: http://www.gnu.org/software/mailman http://mailman.sourceforge.net http://www.list.org [Only the SourceForge site is up-to-date at the moment, the others will be updated soon.] There are email lists (managed by Mailman, of course!) for both Mailman users and developers. See the web sites above for details. Enjoy, -Barry [From the NEWS file] 2.0.2 (03-Mar-2001) Security fix: - A fix for a potential privacy exploit where a clever list administrator could gain access to user passwords. This doesn't allow them to do much more harm to the user then they normally could, but they still shouldn't have access to the passwords. Bug fixes: - In the admindb page, don't complain when approving a subscription of someone who's already on the list (SF bug #222409 - Thomas Wouters). Also, quote for HTML the Subject: text printed for held messages, otherwise messages with e.g. "Subject: </table>" could royally screw page formatting. - In Netscape.py bounce processor, don't bomb out on ill-formed messages (no semi-colon separating parameters), otherwise mail delivery could grind to a halt. Bug reported by Kambiz Aghaiepour. - Docstring fix bin/newlist to remove mention of "immediate" argument (Thomas Wouters). - Fix for bin/update when PREFIX != VAR_PREFIX (SF bug #229794 -- Thomas Wouters). -- http://mail.python.org/mailman/listinfo/python-list