Index: NEWS
===================================================================
RCS file: /cvsroot/mailman/mailman/NEWS,v
retrieving revision 1.25.2.1
retrieving revision 1.25.2.2
diff -u -r1.25.2.1 -r1.25.2.2
--- NEWS 2001/01/03 07:08:33 1.25.2.1
+++ NEWS 2001/03/03 06:51:26 1.25.2.2
@@ -4,6 +4,36 @@
Here is a history of user visible changes to Mailman.
+2.0.2 (03-Mar-2001)
+
+ Security fix:
+
+ - A fix for a potential privacy exploit where a clever list
+ administrator could gain access to user passwords. This doesn't
+ allow them to do much more harm to the user then they normally
+ could, but they still shouldn't have access to the passwords.
+
+ Bug fixes:
+
+ - In the admindb page, don't complain when approving a
+ subscription of someone who's already on the list (SF bug
+ #222409 - Thomas Wouters).
+
+ Also, quote for HTML the Subject: text printed for held
+ messages, otherwise messages with e.g. "Subject: </table>" could
+ royally screw page formatting.
+
+ - In Netscape.py bounce processor, don't bomb out on ill-formed
+ messages (no semi-colon separating parameters), otherwise mail
+ delivery could grind to a halt. Bug reported by Kambiz
+ Aghaiepour.
+
+ - Docstring fix bin/newlist to remove mention of "immediate"
+ argument (Thomas Wouters).
+
+ - Fix for bin/update when PREFIX != VAR_PREFIX (SF bug #229794 --
+ Thomas Wouters).
+
2.0.1 (03-Jan-2001)
Bug fix release, namely fixes a buglet in bin/withlist affecting
Index: UPGRADING
===================================================================
RCS file: /cvsroot/mailman/mailman/UPGRADING,v
retrieving revision 1.16.2.2
retrieving revision 1.16.2.3
diff -u -r1.16.2.2 -r1.16.2.3
--- UPGRADING 2001/01/03 06:35:43 1.16.2.2
+++ UPGRADING 2001/03/03 06:54:25 1.16.2.3
@@ -33,6 +33,11 @@
http://mail.python.org/pipermail/mailman-users/2000-September/006826.html
+UPGRADING FROM 2.0.1 to 2.0.2
+
+ Nothing much more than running "make install" (after upgrading)
+ should be necessary.
+
UPGRADING FROM 2.0 to 2.0.1
Nothing much more than running "make install" (after upgrading)
@@ -47,7 +52,7 @@
The cron jobs for Mailman 2.0 final have changed considerably,
including the frequency with which they run. You should reload
- misc/crontab.in for the `mailman' user to get the right settings.
+ cron/crontab.in for the `mailman' user to get the right settings.
See the INSTALL file for details.
FAILURE TO DO THIS WILL RESULT IN A LESS THAN OPTIMALLY FUNCTIONAL
Index: Mailman/ListAdmin.py
===================================================================
RCS file: /cvsroot/mailman/mailman/Mailman/ListAdmin.py,v
retrieving revision 1.47
retrieving revision 1.47.2.1
diff -u -r1.47 -r1.47.2.1
--- Mailman/ListAdmin.py 2000/11/08 19:19:55 1.47
+++ Mailman/ListAdmin.py 2001/03/02 23:32:15 1.47.2.1
@@ -326,9 +326,13 @@
else:
# subscribe
assert value == mm_cfg.SUBSCRIBE
- self.ApprovedAddMember(addr, password, digest)
- # TBD: disgusting hack: ApprovedAddMember() can end up closing the
- # request database.
+ try:
+ self.ApprovedAddMember(addr, password, digest, lang)
+ except Errors.MMAlreadyMember:
+ # User has already been subscribed, after sending the request
+ pass
+ # TBD: disgusting hack: ApprovedAddMember() can end up closing
+ # the request database.
self.__opendb()
return REMOVE
Index: Mailman/Version.py
===================================================================
RCS file: /cvsroot/mailman/mailman/Mailman/Version.py,v
retrieving revision 1.20.2.1
retrieving revision 1.20.2.2
diff -u -r1.20.2.1 -r1.20.2.2
--- Mailman/Version.py 2001/01/03 06:49:34 1.20.2.1
+++ Mailman/Version.py 2001/03/03 06:19:15 1.20.2.2
@@ -1,4 +1,4 @@
-# Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc.
+# Copyright (C) 1998,1999,2000,2001 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -15,7 +15,7 @@
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# Mailman version
-VERSION = "2.0.1"
+VERSION = "2.0.2"
# And as a hex number in the manner of PY_VERSION_HEX
ALPHA = 0xa
@@ -27,7 +27,7 @@
MAJOR_REV = 2
MINOR_REV = 0
-MICRO_REV = 1
+MICRO_REV = 2
REL_LEVEL = FINAL
# at most 15 beta releases!
REL_SERIAL = 0
Index: Mailman/Bouncers/Netscape.py
===================================================================
RCS file: /cvsroot/mailman/mailman/Mailman/Bouncers/Netscape.py,v
retrieving revision 1.5
retrieving revision 1.5.2.2
diff -u -r1.5 -r1.5.2.2
--- Mailman/Bouncers/Netscape.py 2000/06/20 05:40:36 1.5
+++ Mailman/Bouncers/Netscape.py 2001/02/20 23:25:08 1.5.2.2
@@ -49,8 +49,10 @@
# multipart/mixed;
# TBD: should we tighten this check?
if msg.getmaintype() <> 'multipart':
- return None
+ return
boundary = msg.getparam('boundary')
+ if boundary is None:
+ return
msg.fp.seek(0)
mfile = multifile.MultiFile(msg.fp)
mfile.push(boundary)
Index: Mailman/Cgi/admindb.py
===================================================================
RCS file: /cvsroot/mailman/mailman/Mailman/Cgi/admindb.py,v
retrieving revision 1.36
retrieving revision 1.36.2.1
diff -u -r1.36 -r1.36.2.1
--- Mailman/Cgi/admindb.py 2000/09/29 00:05:05 1.36
+++ Mailman/Cgi/admindb.py 2001/03/03 06:02:01 1.36.2.1
@@ -1,4 +1,4 @@
-# Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc.
+# Copyright (C) 1998,1999,2000,2001 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -186,7 +186,7 @@
t.AddRow([Bold('From:'), sender])
row, col = t.GetCurrentRowIndex(), t.GetCurrentCellIndex()
t.AddCellInfo(row, col-1, align='right')
- t.AddRow([Bold('Subject:'), subject])
+ t.AddRow([Bold('Subject:'), cgi.escape(subject)])
t.AddCellInfo(row+1, col-1, align='right')
t.AddRow([Bold('Reason:'), reason])
t.AddCellInfo(row+2, col-1, align='right')
Index: Mailman/Handlers/Decorate.py
===================================================================
RCS file: /cvsroot/mailman/mailman/Mailman/Handlers/Decorate.py,v
retrieving revision 1.7
retrieving revision 1.7.2.1
diff -u -r1.7 -r1.7.2.1
--- Mailman/Handlers/Decorate.py 2000/09/15 17:19:19 1.7
+++ Mailman/Handlers/Decorate.py 2001/03/03 06:49:11 1.7.2.1
@@ -30,6 +30,9 @@
# Digests already have their own header and footers attached.
return
d = Utils.SafeDict(mlist.__dict__)
+ # Certain attributes are sensitive
+ del d['password']
+ del d['passwords']
d['cgiext'] = mm_cfg.CGIEXT
# interpolate into the header
try:
Index: admin/www/download.ht
===================================================================
RCS file: /cvsroot/mailman/mailman/admin/www/download.ht,v
retrieving revision 1.5.2.1
retrieving revision 1.5.2.2
diff -u -r1.5.2.1 -r1.5.2.2
--- admin/www/download.ht 2001/01/03 06:53:29 1.5.2.1
+++ admin/www/download.ht 2001/03/03 06:18:47 1.5.2.2
@@ -65,9 +65,9 @@
<h3>Downloading</h3>
<p>Version
-(<!-VERSION--->2.0.1<!-VERSION--->,
+(<!-VERSION--->2.0.2<!-VERSION--->,
released on
-<!-DATE--->Jan 3 2001<!-DATE--->)
+<!-DATE--->Mar 3 2001<!-DATE--->)
is the current GNU release. It is available from the following mirror sites:
<ul>
Index: admin/www/download.html
===================================================================
RCS file: /cvsroot/mailman/mailman/admin/www/download.html,v
retrieving revision 1.6.2.3
retrieving revision 1.6.2.4
diff -u -r1.6.2.3 -r1.6.2.4
--- admin/www/download.html 2001/01/05 16:23:07 1.6.2.3
+++ admin/www/download.html 2001/03/03 06:18:47 1.6.2.4
@@ -1,6 +1,6 @@
<HTML>
<!-- THIS PAGE IS AUTOMATICALLY GENERATED. DO NOT EDIT. -->
-<!-- Fri Jan 5 11:17:23 2001 -->
+<!-- Sat Mar 3 01:06:34 2001 -->
<!-- USING HT2HTML 1.1 -->
<!-- SEE http://www.wooz.org/barry/software/pyware.html -->
<!-- User-specified headers:
@@ -237,9 +237,9 @@
<h3>Downloading</h3>
<p>Version
-(<!-VERSION--->2.0.1<!-VERSION--->,
+(<!-VERSION--->2.0.2<!-VERSION--->,
released on
-<!-DATE--->Jan 3 2001<!-DATE--->)
+<!-DATE--->Mar 3 2001<!-DATE--->)
is the current GNU release. It is available from the following mirror sites:
<ul>
Index: bin/newlist
===================================================================
RCS file: /cvsroot/mailman/mailman/bin/newlist,v
retrieving revision 1.36
retrieving revision 1.36.2.1
diff -u -r1.36 -r1.36.2.1
--- bin/newlist 2000/11/15 12:49:18 1.36
+++ bin/newlist 2001/03/03 05:58:19 1.36.2.1
@@ -1,6 +1,6 @@
#! /usr/bin/env python
#
-# Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc.
+# Copyright (C) 1998,1999,2000,2001 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -26,7 +26,7 @@
--quiet
Normally the administrator is notified by email (after a prompt) that
their list has been created. This option suppresses that
- notification.
+ notification and the prompting.
-o file
--output=file
@@ -36,11 +36,8 @@
-h/--help
Print this help text and exit.
-You can specify as many of the arguments as you want on the command line.
-The optional <immediate> argument, if present, means to send out the notice
-immediately. Otherwise, the script hangs pending input, to give time for
-the person creating the list to customize it before sending the admin an
-email notice about the existence of the new list.
+You can specify as many of the arguments as you want on the command line:
+you will be prompted for the missing ones.
Note that listnames are forced to lowercase.
"""
Index: bin/update
===================================================================
RCS file: /cvsroot/mailman/mailman/bin/update,v
retrieving revision 1.24
retrieving revision 1.24.2.1
diff -u -r1.24 -r1.24.2.1
--- bin/update 2000/11/01 02:31:28 1.24
+++ bin/update 2001/03/02 23:19:33 1.24.2.1
@@ -72,7 +72,10 @@
def makeabs(relpath):
return os.path.join(mm_cfg.PREFIX, relpath)
+def make_varabs(relpath):
+ return os.path.join(mm_cfg.VAR_PREFIX, relpath)
+
�
def dolist(listname):
errors = 0
@@ -83,11 +86,12 @@
print 'WARNING: could not acquire lock for list:', listname
return 1
- mbox_dir = makeabs('archives/private/%s.mbox' % (listname))
- mbox_file = makeabs('archives/private/%s.mbox/%s' % (listname, listname))
+ mbox_dir = make_varabs('archives/private/%s.mbox' % (listname))
+ mbox_file = make_varabs('archives/private/%s.mbox/%s' % (listname,
+ listname))
- o_pub_mbox_file = makeabs('archives/public/%s' % (listname))
- o_pri_mbox_file = makeabs('archives/private/%s' % (listname))
+ o_pub_mbox_file = make_varabs('archives/public/%s' % (listname))
+ o_pri_mbox_file = make_varabs('archives/private/%s' % (listname))
html_dir = o_pri_mbox_file
o_html_dir = makeabs('public_html/archives/%s' % (listname))
@@ -193,9 +197,9 @@
# save the new variables and
# let it create public symlinks if necessary
#
- mlist.archive_directory = makeabs('archives/private/%s' % (listname))
- mlist.private_archive_file_dir = makeabs('archives/private/%s.mbox' %
- listname)
+ mlist.archive_directory = make_varabs('archives/private/%s' % (listname))
+ mlist.private_archive_file_dir = make_varabs('archives/private/%s.mbox' %
+ listname)
mlist.Save()
#
# check to see if pre-b4 list-specific templates are around