SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for mailman-2.1.37-Virt.150400.2.2.x86_64.rpm :

* Thu Feb 08 2024 Giacomo Comes - Provide user/group, as required by RPM 4.19 (boo#1219531).
* Mon Nov 29 2021 Bernhard Wiedemann - Update to 2.1.37 - A bug in the fix for CVE-2021-43332 has been fixed. (LP: #1950833) - Fixed a potential XSS attack via the user options page CVE-2021-43331) - Fixed a potential for a list moderator to carry out an off-line brute force attack to obtain the list admin password CVE-2021-43332 (LP: #1949403)
* Wed Oct 27 2021 Bernhard Wiedemann - Update to 2.1.35 to fix 2 security issues: - A potential for for a list member to carry out an off-line brute force attack to obtain the list admin password has been reported by Andre Protas, Richard Cloke and Andy Nuttall of Apple. This is fixed. CVE-2021-42096 (boo#1191959, LP:#1947639) - A CSRF attack via the user options page could allow takeover of a users account. This is fixed. CVE-2021-42097 (boo#1191960, LP:#1947640)
* Thu Oct 15 2020 Matej Cepl - Update to 2.1.34: - The fix for lp#1859104 can result in ValueError being thrown on attempts to subscribe to a list. This is fixed and extended to apply REFUSE_SECOND_PENDING to unsubscription as well. (lp#1878458) - DMARC mitigation no longer misses if the domain name returned by DNS contains upper case. (lp#1881035) - A new WARN_MEMBER_OF_SUBSCRIBE setting can be set to No to prevent mailbombing of a member of a list with private rosters by repeated subscribe attempts. (lp#1883017) - Very long filenames for scrubbed attachments are now truncated. (lp#1884456) - A content injection vulnerability via the private login page has been fixed. CVE-2020-15011 (lp#1877379, bsc#1173369) - A content injection vulnerability via the options login page has been discovered and reported by Vishal Singh. CVE-2020-12108 (lp#1873722, bsc#1171363) - Bounce recognition for a non-compliant Yahoo format is added. - Archiving workaround for non-ascii in string.lowercase in some Python packages is added. - Thanks to Jim Popovitch, there is now a dmarc_moderation_addresses list setting that can be used to apply dmarc_moderation_action to mail From: addresses listed or matching listed regexps. This can be used to modify mail to addresses that don\'t accept external mail From: themselves. - There is a new MAX_LISTNAME_LENGTH setting. The fix for lp#1780874 obtains a list of the names of all the all the lists in the installation in order to determine the maximum length of a legitimate list name. It does this on every web access and on sites with a very large number of lists, this can have performance implications. See the description in Defaults.py for more information. - Thanks to Ralf Jung there is now the ability to add text based captchas (aka textchas) to the listinfo subscribe form. See the documentation for the new CAPTCHA setting in Defaults.py for how to enable this. Also note that if you have custom listinfo.html templates, you will have to add a tag to those templates to make this work. This feature can be used in combination with or instead of the Google reCAPTCHA feature added in 2.1.26. - Thanks to Ralf Hildebrandt the web admin Membership Management section now has a feature to sync the list\'s membership with a list of email addresses as with the bin/sync_members command. - There is a new drop_cc list attribute set from DEFAULT_DROP_CC. This controls the dropping of addresses from the Cc: header in delivered messages by the duplicate avoidance process. (lp#1845751) - There is a new REFUSE_SECOND_PENDING mm_cfg.py setting that will cause a second request to subscribe to a list when there is already a pending confirmation for that user. This can be set to Yes to prevent mailbombing of a third party by repeatedly posting the subscribe form. (lp#1859104) - Fixed the confirm CGI to catch a rare TypeError on simultaneous confirmations of the same token. (lp#1785854) - Scrubbed application/octet-stream MIME parts will now be given a .bin extension instead of .obj. CVE-2020-12137 (lp#1886117) - Added bounce recognition for a non-compliant opensmtpd DSN with Action: error. (lp#1805137) - Corrected and augmented some security log messages. (lp#1810098) - Implemented use of QRUNNER_SLEEP_TIME for bin/qrunner - -runner=All. (lp#1818205) - Leading/trailing spaces in provided email addresses for login to private archives and the user options page are now ignored. (lp#1818872) - Fixed the spelling of the --no-restart option for mailmanctl. - Fixed an issue where certain combinations of charset and invalid characters in a list\'s description could produce a List-ID header without angle brackets. (lp#1831321) - With the Postfix MTA and virtual domains, mappings for the site list -bounces and -request addresses in each virtual domain are now added to data/virtual-mailman (-owner was done in 2.1.24). (lp#1831777) - The paths.py module now extends sys.path with the result of site.getsitepackages() if available. (lp#1838866) - A bug causing a UnicodeDecodeError in preparing to send the confirmation request message to a new subscriber has been fixed. (lp#1851442) - The SimpleMatch heuristic bounce recognizer has been improved to not return most invalid email addresses. (lp#1859011)- Patches reapplied on the new tarball: - mailman-2.1.14-editarch.patch - mailman-2.1.14-python.dif - mailman-2.1.4-notavaliduser.patch - mailman-2.1.5-no_extra_asian.dif - mailman-weak-password.diff
* Tue Apr 14 2020 Sven Uebelacker - update to version 2.1.30- Thanks to Jim Popovitch, there is now a dmarc_moderation_addresses list setting that can be used to apply dmarc_moderation_action to mail From: addresses listed or matching listed regexps. This can be used to modify mail to addresses that don\'t accept external mail From: themselves.- There is a new MAX_LISTNAME_LENGTH setting. The fix for LP: #1780874 obtains a list of the names of all the all the lists in the installation in order to determine the maximum length of a legitimate list name. It does this on every web access and on sites with a very large number of lists, this can have performance implications. See the description in Defaults.py for more information.- Thanks to Ralf Jung there is now the ability to add text based captchas (aka textchas) to the listinfo subscribe form. See the documentation for the new CAPTCHA setting in Defaults.py for how to enable this. Also note that if you have custom listinfo.html templates, you will have to add a tag to those templates to make this work. This feature can be used in combination with or instead of the Google reCAPTCHA feature added in 2.1.26.- Thanks to Ralf Hildebrandt the web admin Membership Management section now has a feature to sync the list\'s membership with a list of email addresses as with the bin/sync_members command.- There is a new drop_cc list attribute set from DEFAULT_DROP_CC. This controls the dropping of addresses from the Cc: header in delivered messages by the duplicate avoidance process. (LP: #1845751)- There is a new REFUSE_SECOND_PENDING mm_cfg.py setting that will cause a second request to subscribe to a list when there is already a pending confirmation for that user. This can be set to Yes to prevent mailbombing of a third party by repeatedly posting the subscribe form. (LP: #1859104)- i18n
* The Japanese translation has been updated by Yasuhito FUTATSUKI. The German
* translation has been updated by Ludwig Reiter. The Spanish translation has
* been updated by Omar Walid Llorente. The Brazilian Portugese translation has
* been updated by Emerson de Mello.
* Thu Dec 20 2018 mceplAATTsuse.com- Add mailman-update-cfg to avoid user mailman writing to /usr/lib directories (compiled Python files).
* Tue Dec 11 2018 Jan Engelhardt - Use multi-argument find -exec.- Set bash as build shell due to occurrence of \"=~\".
* Fri Dec 07 2018 mceplAATTsuse.com- Add systemd timers to be used instead of cron. (boo#1115446)- Rewrite whole package to use systemd services instead of SysV init. (boo#1116022)- Lots and lots of cleanup to minimize rpmlint warnings (remainings are either false positives or they don\'t make much sense)
* Wed Aug 22 2018 bwiedemannAATTsuse.com- Add reproducible.patch to use fixed build date in mailman-config to make package build reproducible (boo#1047218)
* Thu Aug 09 2018 mceplAATTsuse.com- Restore generation of /etc/mailman/mailman.cgi-gid (bsc#1095112)
* Thu Jul 26 2018 liedkeAATTrz.uni-mannheim.de- update to 2.1.29:
* Fixed the listinfo and admin overview pages that were broken
* Tue Jul 24 2018 liedkeAATTrz.uni-mannheim.de- update to 2.1.28:
* A content spoofing vulnerability with invalid list name messages in the web UI has been fixed. CVE-2018-13796 bsc#1101288
* It is now possible to edit HTML and text templates via the web admin UI in a supported language other than the list\'s preferred_language.
* The Japanese translation has been updated
* The German translation has been updated
* The Esperanto translation has been updated
* The BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE feature added in 2.1.27 was not working. This is fixed.
* Escaping of HTML entities for the web UI is now done more selectively.
* Wed Jun 27 2018 liedkeAATTrz.uni-mannheim.de- update to 2.1.27 bsc#1099510:
* Existing protections against malicious listowners injecting evil scripts into listinfo pages have had a few more checks added. JVN#00846677/JPCERT#97432283/CVE-2018-0618
* A few more error messages have had their values HTML escaped. JVN#00846677/JPCERT#97432283/CVE-2018-0618
* The hash generated when SUBSCRIBE_FORM_SECRET is set could have been the same as one generated at the same time for a different list and IP address. While this is not thought to be exploitable in any way, the generation has been changed to avoid this.
* An option has been added to bin/add_members to issue invitations instead of immediately adding members.
* A new BLOCK_SPAMHAUS_LISTED_IP_SUBSCRIBE setting has been added to enable blocking web subscribes from IPv4 addresses listed in Spamhaus SBL, CSS or XBL. It will work with IPv6 addresses if Python\'s py2-ipaddress module is installed. The module can be installed via pip if not included in your Python.
* Mailman has a new \'security\' log and logs authentication failures to the various web CGI functions. The logged data include the remote IP and can be used to automate blocking of IPs with something like fail2ban. Since Mailman 2.1.14, these have returned an http 401 status and the information should be logged by the web server, but this new log makes that more convenient. Also, the \'mischief\' log entries for \'hostile listname\' noe include the remote IP if available.
* admin notices of (un)subscribes now may give the source of the action. This consists of a %(whence)s replacement that has been added to the admin(un)subscribeack.txt templates. Thanks to Yasuhito FUTATSUKI for updating the non-English templates and help with internationalizing the reasons.
* there is a new BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE setting to enable blocking web subscribes for addresses in domains listed in the Spamhaus DBL.
* i18n & Bugfixes
* for further details see NEWS
* Mon Mar 19 2018 tchvatalAATTsuse.com- Fix install prefix for some of the files- Install license file
* Fri Mar 16 2018 tchvatalAATTsuse.com- Sort out with spec-cleaner- Use direct paths in post scriptlets and properly state their deps- Do not attempt user creation during build, fails anyway- Use proper user creation code in scriptlets
* Thu Mar 15 2018 liedkeAATTrz.uni-mannheim.de- update to 2.1.26
* An XSS vulnerability in the user options CGI could allow a crafted URL to execute arbitrary javascript in a user\'s browser. A related issue could expose information on a user\'s options page without requiring login. (CVE-2018-5950) bsc#1077358
* Google reCAPTCHA v2
* New bin/mailman-config command to display various information about this Mailman version and how it was configured.
* bug fixes, i18n updates
* for further details see NEWS- updato to 2.1.25
* The admindb held subscriptions listing now includes the date of the most recent request from the address.
* bug fixes, i18n updates
* for further details see NEWS- update to 2.1.24
* bug fixes, i18n updates
* for further details see NEWS- Rename and refresh patch:
* mailman-2.1.2-list_lists.patch to mailman-2.1.26-list_lists.patch
* Mon Nov 27 2017 dmuellerAATTsuse.com- remove distributable flag (which is always true): drops SuSEconfig.mailman-SuSE, mailman-SuSE.patch, mailman-SuSE2.patch
* Thu Nov 23 2017 rbrownAATTsuse.com- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)
* Thu Jun 29 2017 dimstarAATTopensuse.org- Fix pre script for usage with more recent postfix versions.
* Mon Mar 20 2017 kukukAATTsuse.de- Require system user wwwrun
* Mon Feb 20 2017 kukukAATTsuse.de- Require fillup and insserv if we call them
* Mon Aug 29 2016 hsk17AATTmail.de- update to 2.1.23
* CSRF protection in user options page (CVE-2016-6893)
* header_filter_rules matching: headers and patterns are all decoded to unicode
* another possible REMOVE_DKIM_HEADERS setting
* SMTPDirect.py can now do SASL authentication and STARTTLS
* bug fixes, i18n updates
* for further details see NEWS
* Mon Apr 18 2016 hskAATTimb-jena.de- update to 2.1.22
* bug fixes, i18n updates; for details see NEWS
* Tue Mar 29 2016 hskAATTimb-jena.de- updated mailman-apache2.conf to support \"require\" syntax of recent apache httpd
* Mon Feb 29 2016 hskAATTimb-jena.de- update to 2.1.21
* new dmarc_none_moderation_action list setting
* new feature to automatically turn on moderation for single list members (spam prevention)
* new mm_cfg.py setting GLOBAL_BAN_LIST
* translation updates and bug fixes
* for more details see NEWS and Mailman/Defaults.py- mailman-2.1.4-dirmode.patch: adjusted to 2.1.21
* Wed Feb 03 2016 mpluskalAATTsuse.com- Use url for source- Add gpg signature
* Tue Mar 31 2015 hskAATTimb-jena.de- update to 2.1.20 bsc#925502
* fix for CVE-2015-2775 (path traversal vulnerability)
* new Address Change sub-section in the web admin Membership Management section
* translation updates and bug fixes
* Mon Mar 02 2015 hskAATTimb-jena.de- update to 2.1.19
* backports from 2.2 development branch - new list attribute \'subscribe_auto_approval\' - added \'automate\' option to bin/newlist - processing of Topics regular expressions has changed - added real name display to the web roster, controlled by new ROSTER_DISPLAY_REALNAME setting - bug fixes
* new list attribute dmarc_wrapped_message_text and DEFAULT_DMARC_WRAPPED_MESSAGE_TEXT setting
* new list attribute equivalent_domains and DEFAULT_EQUIVALENT_DOMAINS setting
* new WEB_HEAD_ADD setting
* new DEFAULT_SUBSCRIBE_OR_INVITE setting
* new list attribute bounce_notify_owner_on_bounce_increment and DEFAULT_BOUNCE_NOTIFY_OWNER_ON_BOUNCE_INCREMENT setting
* log files, request.pck files and heldmsg-
* files are no longer created world readable
* i18n updates
* bug fixes
* Fri Oct 17 2014 hskAATTimb-jena.de- update to 2.1.18
* mailman now requires dnspython
* new dmarc_moderation_action feature and corresponging list and default settings
* bug fixes
  
ICM