1
1
-*- coding: iso-8859-1 -*-
2
2
Mailman - The GNU Mailing List Management System
3
Copyright (C) 1998-2018 by the Free Software Foundation, Inc.
3
Copyright (C) 1998-2020 by the Free Software Foundation, Inc.
4
4
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
6
6
Here is a history of user visible changes to Mailman.
10
Bug Fixes and other patches
12
- NotAMemberError exception from the user options page when the user has
13
been asynchronously unsubscribed is fixed. (LP: #1951769)
17
Bug Fixes and other patches
19
- A bug in the fix for CVE-2021-43332 has neen fixed. (LP: #1950833)
25
- A potential XSS attack via the user options page has been reported by
26
Harsh Jaiswal. This is fixed. CVE-2021-43331 (LP: #1949401)
28
- A potential for for a list moderator to carry out an off-line brute force
29
attack to obtain the list admin password has been reported by Andre
30
Protas, Richard Cloke and Andy Nuttall of Apple. This is fixed.
31
CVE-2021-43332 (LP: #1949403)
37
- A potential for for a list member to carry out an off-line brute force
38
attack to obtain the list admin password has been reported by Andre
39
Protas, Richard Cloke and Andy Nuttall of Apple. This is fixed.
40
CVE-2021-42096 (LP: #1947639)
42
- A CSRF attack via the user options page could allow takeover of a users
43
account. This is fixed. CVE-2021-42097 (LP: #1947640)
45
Bug Fixes and other patches
47
- Fixed an issue where sometimes the wrapper message for DMARC mitigation
48
Wrap Message has no Subject:. (LP: #1915655)
50
- Plain text message bodies with Content-Disposition: and no declared
51
charset are no longer scrubbed. (LP: #1917968)
53
- CommandRunner now recodes message bodies in the charset of the user's
54
or list's language to avoid a possible UnicodeError when including the
55
message body in the reply. (LP: #1921682)
57
- Delivery disabled by bounce notices to admins now have 'disabled'
58
properly translated. (LP: #1922843)
60
- DMARC policy discovery ignores domains with multiple DMARC records per
61
RFC 7849, (LP: 1931029)
67
- The Spanish translation has been updated by Omar Walid Llorente.
69
Bug Fixes and other patches
71
- The fix for LP: #1859104 can result in ValueError being thrown on
72
attempts to subscribe to a list. This is fixed and extended to apply
73
REFUSE_SECOND_PENDING to unsubscription as well. (LP: #1878458)
75
- DMARC mitigation no longer misses if the domain name returned by DNS
76
contains upper case. (LP: #1881035)
78
- A new WARN_MEMBER_OF_SUBSCRIBE setting can be set to No to prevent
79
mailbombing of a member of a list with private rosters by repeated
80
subscribe attempts. (LP: #1883017)
82
- Very long filenames for scrubbed attachments are now truncated.
89
- A content injection vulnerability via the private login page has been
90
fixed. CVE-2020-15011 (LP: #1877379)
96
Fixed a typo in the Spanish translation and updated mailman.pot and
97
the message catalog for 2.1.31 security fix.
103
- A content injection vulnerability via the options login page has been
104
discovered and reported by Vishal Singh. This is fixed. CVE-2020-12108
109
- The Spanish translation has been updated by Omar Walid Llorente.
111
Bug Fixes and other patches
113
- Bounce recognition for a non-compliant Yahoo format is added.
115
- Archiving workaround for non-ascii in string.lowercase in some Python
122
- Thanks to Jim Popovitch, there is now a dmarc_moderation_addresses
123
list setting that can be used to apply dmarc_moderation_action to mail
124
From: addresses listed or matching listed regexps. This can be used
125
to modify mail to addresses that don't accept external mail From:
128
- There is a new MAX_LISTNAME_LENGTH setting. The fix for LP: #1780874
129
obtains a list of the names of all the all the lists in the installation
130
in order to determine the maximum length of a legitimate list name. It
131
does this on every web access and on sites with a very large number of
132
lists, this can have performance implications. See the description in
133
Defaults.py for more information.
135
- Thanks to Ralf Jung there is now the ability to add text based captchas
136
(aka textchas) to the listinfo subscribe form. See the documentation
137
for the new CAPTCHA setting in Defaults.py for how to enable this. Also
138
note that if you have custom listinfo.html templates, you will have to
139
add a <mm-captcha-ui> tag to those templates to make this work. This
140
feature can be used in combination with or instead of the Google
141
reCAPTCHA feature added in 2.1.26.
143
- Thanks to Ralf Hildebrandt the web admin Membership Management section
144
now has a feature to sync the list's membership with a list of email
145
addresses as with the bin/sync_members command.
147
- There is a new drop_cc list attribute set from DEFAULT_DROP_CC. This
148
controls the dropping of addresses from the Cc: header in delivered
149
messages by the duplicate avoidance process. (LP: #1845751)
151
- There is a new REFUSE_SECOND_PENDING mm_cfg.py setting that will cause
152
a second request to subscribe to a list when there is already a pending
153
confirmation for that user. This can be set to Yes to prevent
154
mailbombing of a third party by repeatedly posting the subscribe form.
159
- The Japanese translation has been updated by Yasuhito FUTATSUKI.
161
- The German translation has been updated by Ludwig Reiter.
163
- The Spanish translation has been updated by Omar Walid Llorente.
165
- The Brazilian Portugese translation has been updated by Emerson de Mello.
167
Bug Fixes and other patches
169
- Fixed the confirm CGI to catch a rare TypeError on simultaneous
170
confirmations of the same token. (LP: #1785854)
172
- Scrubbed application/octet-stream MIME parts will now be given a
173
.bin extension instead of .obj. CVE-2020-12137 (LP: #1886117)
175
- Added bounce recognition for a non-compliant opensmtpd DSN with
176
Action: error. (LP: #1805137)
178
- Corrected and augmented some security log messages. (LP: #1810098)
180
- Implemented use of QRUNNER_SLEEP_TIME for bin/qrunner --runner=All.
183
- Leading/trailing spaces in provided email addresses for login to private
184
archives and the user options page are now ignored. (LP: #1818872)
186
- Fixed the spelling of the --no-restart option for mailmanctl.
188
- Fixed an issue where certain combinations of charset and invalid
189
characters in a list's description could produce a List-ID header
190
without angle brackets. (LP: #1831321)
192
- With the Postfix MTA and virtual domains, mappings for the site list
193
-bounces and -request addresses in each virtual domain are now added
194
to data/virtual-mailman (-owner was done in 2.1.24). (LP: #1831777)
196
- The paths.py module now extends sys.path with the result of
197
site.getsitepackages() if available. (LP: #1838866)
199
- A bug causing a UnicodeDecodeError in preparing to send the confirmation
200
request message to a new subscriber has been fixed. (LP: #1851442)
202
- The SimpleMatch heuristic bounce recognizer has been improved to not
203
return most invalid email addresses. (LP: #1859011)
209
- Fixed the listinfo and admin overview pages that were broken by
210
LP: #1780874. (LP: #1783417)
216
- A content spoofing vulnerability with invalid list name messages in
217
the web UI has been fixed. CVE-2018-13796 (LP: #1780874)
221
- It is now possible to edit HTML and text templates via the web admin
222
UI in a supported language other than the list's preferred_language.
223
Thanks to Yasuhito FUTATSUKI.
227
- The Japanese translation has been updated by Yasuhito FUTATSUKI.
229
- The German translation has been updated by Ralf Hildebrandt.
231
- The Esperanto translation has been updated by Rub�n Fern�ndez Asensio.
233
Bug fixes and other patches
235
- The BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE feature added in 2.1.27 was
236
not working. This is fixed. (LP: #1779774)
238
- Escaping of HTML entities for the web UI is now done more selectively.
12
245
- Existing protections against malicious listowners injecting evil
13
246
scripts into listinfo pages have had a few more checks added.
247
JVN#00846677/JPCERT#97432283/CVE-2018-0618
15
249
- A few more error messages have had their values HTML escaped.
250
JVN#00846677/JPCERT#97432283/CVE-2018-0618
17
252
- The hash generated when SUBSCRIBE_FORM_SECRET is set could have been
18
253
the same as one generated at the same time for a different list and
added
removed
NEWS
