==================================================================== CERT-Renater Note d'Information No. 2018/VULN046 _____________________________________________________________________ DATE : 12/02/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Mailman versions prior to 2.1.26. ===================================================================== https://mail.python.org/pipermail/mailman-announce/2018-February/000235.html _____________________________________________________________________ I am pleased to announce the release of Mailman 2.1.26. Python 2.4 is the minimum supported, but Python 2.7 is strongly recommended. This is a security and bug fix release with a couple of new features. See the attached README.txt for details. For those who are concerned about the security vulnerability and can't upgrade immediately, there is a patch at to fix the security issue. More information on the issue itself is in the bug report at . Mailman is free software for managing email mailing lists and e-newsletters. Mailman is used for all the python.org and SourceForge.net mailing lists, as well as at hundreds of other sites. For more information, please see our web site at one of: http://www.list.org https://www.gnu.org/software/mailman http://mailman.sourceforge.net/ https://mirror.list.org/ Mailman 2.1.26 can be downloaded from https://launchpad.net/mailman/2.1/ https://ftp.gnu.org/gnu/mailman/ https://sourceforge.net/projects/mailman/ Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -------------- next part -------------- 2.1.26 (04-Feb-2018) Security - An XSS vulnerability in the user options CGI could allow a crafted URL to execute arbitrary javascript in a user's browser. A related issue could expose information on a user's options page without requiring login. These are fixed. Thanks to Calum Hutton for the report. CVE-2018-5950 (LP: #1747209) New Features - Thanks to David Siebörger who adapted an existing patch by Andrea Veri to use Google reCAPTCHA v2 there is now the ability to add reCAPTCHA to the listinfo subscribe form. There are two new mm_cfg.py settings for RECAPTCHA_SITE_KEY and RECAPTCHA_SECRET_KEY, the values for which you obtain for your domain(s) from Google at . - Thanks to Lindsay Haisley, there is a new bin/mailman-config command to display various information about this Mailman version and how it was configured. i18n - The Japanese message catalog has been updated for added strings by Yasuhito FUTATSUKI. - The German translation of a couple of templates has been updated by Thomas Hochstein. - The Japanese translation of Defaults.py.in has been updated by Yasuhito FUTATSUKI. Bug fixes and other patches - Fixed an i18n bug in the reCAPTCHA feature. (LP: #1746189) - Added a few more environment variables to the list of those passed to CGIs to support an nginx/uwsgi configuration. (LP #1744739) - Mailman 2.1.22 introduced a Python 2.7 dependency that could affect bin/arch processing a message without a valid Date: header. The dependency has been removed. (LP: #1740543) - Messages held for header_filter_rules now show the matched regexp in the hold reason. (LP: #1737371) - When updating the group and mode of a .db file with Mailman's Postfix integration, a missing file is ignored. (LP: #1734162) - The DELIVERY_RETRY_WAIT setting is now effective. (LP: #1729472) ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================