1
1
Mailman - The GNU Mailing List Management System
2
Copyright (C) 1998-2004 by the Free Software Foundation, Inc.
3
59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
2
Copyright (C) 1998-2006 by the Free Software Foundation, Inc.
3
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
5
5
Here is a history of user visible changes to Mailman.
11
- A cross-site scripting hole in the private archive script of 2.1.7
12
has been closed. Thanks to Moritz Naumann for its discovery.
14
Bug fixes and other patches
16
- Bouncers support added: 'unknown user', Microsoft SMTPSVC, Prodigy.net
19
- Updated email library to 2.5.7 which will encode payload into qp/base64
20
upon setting. This enabled backing out the scrubber related patches
21
including 'X-Mailman-Scrubbed' header in 2.1.7.
23
- Fix SpamDetect.py potential hold/reject loop problem.
25
- A warning message from email package to the stderr can cause error
26
in Logging because stderr may be detached from the process during
27
the qrunner run. We chose not to output errors to stderr but to
28
the logs/error if the process is running under mailmanctl subprocess.
30
- DKIM header cleansing was separated from Cleanse.py and added to
33
- Fixes: Lose Topics when go directly to topics URL (1194419).
34
UnicodeError running bin/arch (1395683). edithtml.py missing import
35
(1400128). Bad escape in cleanarch. Wrong timezone in list archive
36
index pages (1433673). bin/arch fails with TypeError (1430236).
37
Subscription fails with some Language combinations (1435722).
38
Postfix delayed notification not recognized (863989). 2.1.7 (VERP)
39
mistakes delay notice for bounce (1421285). show_qfiles: 'str'
40
object has no attribute 'as_string' (1444447). Utils.get_domain()
41
wrong if VIRTUAL_HOST_OVERVIEW off (1275856).
45
- Brad Knowles' mailman daily status report script updated to 0.0.16.
51
- The fix for CAN-2005-0202 has been enhanced to issue an appropriate
52
message instead of just quietly dropping ./ and ../ from URLs.
54
- A note on CVE-2005-3573: Although the RFC2231 bug example in the CVE has
55
been solved in Mailman 2.1.6, there may be more cases where
56
ToDigest.send_digests() can block regular delivery. We put the
57
send_digests() calling part in a try/except clause and leave a message
58
in the error log if something happened in send_digests(). Daily call of
59
cron/senddigests will provide more detail to the site administrator.
61
- List administrators can no longer change the user's option/subscription
62
globally. Site admin can change these only if
63
mm_cfg.ALLOW_SITE_ADMIN_COOKIES is set to Yes.
65
- <script> tags are HTML-escaped in the edithtml CGI script.
67
- Since the probe message for disabled users may reach unintended
68
recipients, the password is excluded from sendProbe() and probe.txt.
69
Note that the default value of VERP_PROBE has been set to `No' from
70
2.1.6., thus this change doesn't affect the default behavior.
74
- Always remove DomainKey (and similar) headers from messages sent to the
77
- List owners can control the content filter behavior when collapsing
78
multipart/alternative parts to its first subpart. This allows the
79
option of letting the HTML part pass through after other content
84
- New language: Interlingua.
86
Bug fixes and other patches
88
- Defaults.py.in: SCRUBBER_DONT_USE_ATTACHMENT_FILENAME is set to True for
91
- Fixed the bug where Scrubber.py munges quoted-printable by introducing
92
the 'X-Mailman-Scrubbed' header which marks that the payload is
93
scrubber-munged. The flag is referenced in ToDigest.py, ToArchive.py,
94
Decorate.py and Archiver. A similar problem in ToDigest.py where the
95
plain digest is generated is also fixed.
97
- Fixed Syslog.py to write quopri encoded messages when it fail to write
100
- Fixed MTA/Postfix.py to check aliases group permission in check_perms
101
and fixed mailman-install document on this matter (1378270).
103
- Fixed private.py to go to the original URL after authorization
106
- Fixed bounce log score messages to be more consistent.
108
- Fixed bin/remove_members to accept no arguments when both --fromall and
109
--file= options are specified.
111
- Changed cgi-bin and mail wrapper "group not found" error message to be
112
more descriptive of the actual problem.
114
- The list's ban_list now applies to address changes, admin mass
115
subscribes and invites, and to confirmations/approvals of address
116
changes, subscriptions and invitations.
118
- quoted-printable and base64 encoded parts are decoded before passing to
119
HTML_TO_PLAIN_TEXT_COMMAND (1367783).
121
- Approve: header is removed from posts, and treated the same as the
122
Approved: header. (1355707)
124
- Fixed the removal of the line following Approve[d]: line in body of
127
- The Approve[d]: <password> header is removed from all text/* parts in
128
addition the initial text/plain part. It must still be the first
129
non-blank line in the first text/plain part or it won't be found or
130
removed at all. (1181161)
132
- Posts are now logged in post log file with the true sender, not
133
listname-bounces. (1287921)
135
- Correctly initialize and remember the list's default_member_moderation
136
attribute in the web list creation page. (1263213)
138
- PEP263 charset is added to the config_list output. (1343100)
140
- Fixed header_filter_rules getting lost if accessed directly and
141
authentication was needed by login page. (1230865)
143
- Obscure email when the poster doesn't set full name in 'From:' header.
145
- Preambles and epilogues are taken into account when calculating message
146
sizes for holding purposes. (Mark Sapiro)
148
- Logging/Logger.py unicode transform option. (1235567)
150
- bin/update crashes with bogus files. (949117)
152
- Bugs and patches: 1212066/1301983 (Date header in create/remove notice)
158
- Critical security patch for path traversal vulnerability in private
159
archive script (CAN-2005-0202).
161
- Added the ability for Mailman generated passwords (both member and list
162
admin) to be more cryptographically secure. See new configuration
163
variables USER_FRIENDLY_PASSWORDS, MEMBER_PASSWORD_LENGTH, and
164
ADMIN_PASSWORD_LENGTH. Also added a new bin/withlist script called
165
reset_pw.py which can be used to reset all member passwords. Passwords
166
generated by Mailman are now 8 characters by default for members, and 10
167
characters for list administrators.
169
- A potential cross-site scripting hole in the driver script has been
170
closed. Thanks to Florian Weimer for its discovery. Also, turn
171
STEALTH_MODE on by default.
175
- Chinese languages are now supported. They have been moved from 'big5'
176
and 'gb' to 'zh_TW' and 'zh_CN' respectively for compliance to the IANA
177
spec. Note, however, that the character sets were changed from 'Big5'
178
or 'GB2312' to 'UTF-8' to cope with the insufficient codecs support in
179
Python 2.3 and earlier. You may have to install Chinese capable codecs
180
(like CJKCodecs) separately to handle the incoming messages which are in
181
local charsets, or upgrade your Python to 2.4 or newer.
183
Behavior or defaults changes
185
- VERP_PROBES is disabled by default.
187
- bin/withlist can be run without a list name, but only if -i is given.
188
Also, withlist puts the directory it's found in at the end of sys.path,
189
making it easier to run withlist scripts that live in $prefix/bin.
191
- bin/newlist grew two new options: -u/--urlhost and -e/--emailhost which
192
lets the user provide the web and email hostnames for the new mailing
193
list. This is a better way to specify the domain for the list, rather
194
than the old 'mylist@hostname' syntax (which is still supported for
195
backward compatibility, but deprecated).
199
- Python 2.4 compatibility issue: time.strftime() became strict about the
200
'day of year' range. (1078482)
204
- New feature: automatic discards of held messages. List owners can now
205
set how many days to hold the messages in the moderator request queue.
206
cron/checkdb will automatically discard old messages. See the
207
max_days_to_hold variable in the General Options and
208
DEFAULT_MAX_DAYS_TO_HOLD in Defaults.py. This defaults to 0
209
(i.e. disabled). (790494)
211
- New feature: subject_prefix can be configured to include a sequence
212
number which is taken from the post_id variable. Also, the prefix is
213
always put at the start of the subject, i.e. "[list-name] Re: original
214
subject", if mm_cfg.OLD_STYLE_PREFIXING is set No. The default style
215
is "Re: [list-name]" if numbering is not set, for backward compatibility.
216
If the list owner is using numbering feature by "%d" directive, the new
217
style, "[list-name 123] Re:", is always used.
219
- List owners can now cusomize the non-member rejection notice from
220
admin/<listname>/privacy/sender page. (1107169)
222
- Allow editing of the welcome message from the admin page (1085501).
224
- List owners can now use Scrubber to get the attachments scrubbed (held
225
in the web archive), if the site admin permits it in mm_cfg.py. New
226
variables introduced are SCRUBBER_DONT_USE_ATTACHMENT_FILENAME and
227
SCRUBBER_USE_ATTACHMENT_FILENAME_EXTENSION in Defaults.py for scrubber
232
- Most of the installation instructions have been moved to a latex
233
document. See admin/www/mailman-install/index.html for details.
235
Bug fixes and other patches
237
- Mail-to-news gateway now strips subject prefix off from a response
238
by a mail user if news_prefix_subject_too is not set.
240
- Date and Message-Id headers are added for digests. (1116952)
242
- Improved mail address sanity check. (1030228)
244
- SpamDetect.py now checks attachment header. (1026977)
246
- Filter attachments by filename extensions. (1027882)
248
- Bugs and patches: 955381 (older Python compatibility), 1020102/1013079/
249
1020013 (fix spam filter removed), 665569 (newer Postfix bounce
250
detection), 970383 (moderator -1 admin requests pending), 873035
251
(subject handling in -request mail), 799166/946554 (makefile
252
compatibility), 872068 (add header/footer via unicode), 1032434
253
(KNOWN_SPAMMERS check for multi-header), 1025372 (empty Cc:), 789015
254
(fix pipermail URL), 948152 (Out of date link on Docs), 1099138
255
(Scrubber.py breaks on None part), 1099840/1099840 (deprecated %
256
insertion), 880073/933762 (List-ID RFC compliance), 1090439 (passwd
257
reminder shunted), 1112349 (case insensitivity in acceptable_aliases),
258
1117618 (Don't Cc for personalized anonymous list), 1190404 (wrong
259
permission after editing html)
7
261
2.1.5 (15-May-2004)
9
263
- The admindb page has a checkbox that allows you to discard all held