- wwsympa/wwsympa.fcgi.in: Preventing faulty newsletter sending (security fix)
- src/sympa.pl.in: [Submitted by B. Marchal, univ. Lorraine] the
loop_prevention_regex parameter was never taken into account.
- New scenarios to check DKIM signature
- When the user requests change of password via WWSympa or SympaSOAP, new
password may be checked its strength.
- src/lib/Scenario.pm: Now CustomCondition can set the action to
take (do_it, reject ...) by setting $_, this allows for complex,
single-module CustomConditions.
and various bug fixes
[10541] src/lib/List.pm: [Submitted by S. Shipway, Univ. of Auckland]
Workaround for aggressive DMARC policy such as yahoo.com. The patch
adds option #3 of this DMARC FAQ: http://dmarc.org/faq.html#s_3
- New list config paragraph "dmarc_protection" to munge "From:" header
and put original header content erc. into comment.
[10540] src/lib/Bulk.pm: New parameters for merged messages.
"part.description", "part.disposition", "part.encoding" and "part.type"
may be used for each part of input messages. These are all-lowercase
(except "part.description").
***** [10207] src/etc/script/create_db.Oracle, src/etc/script/create_db.Pg,
***** src/etc/script/create_db.SQLite, src/etc/script/create_db.Sybase,
***** src/etc/script/create_db.mysql: Two new database fields appeared in
***** this version and a field was modified.
***** - The new fields are prev_id_session (varchar(30)) and
***** refresh_date_session (int(11)). they are located in the session_table
***** table.
***** - The modified field is dkim_privatekey_bulkspool and is located in the
***** bulkspool_table table. Its length went from varchar(1000) to
***** varchar(2000).
***** Sympa install using MySQL and SQLite backends will have no trouble at
***** all, as the database structure is updated by Sympa.
***** However, if you use Postgres, Oracle or Sybase, please have a look
***** (respectively) at the create_db.Pg, create_db.Oracle or
***** create_db.Sybase to check the definition of those fields. Please update
***** your database structure before running Sympa.
[10206] src/lib/Sympa/DatabaseDescription.pm: Changing length of DKIM
private key in database to ensure database creation scripts will be
updated.
[10074] mail_tt2/command_report.tt2, mail_tt2/info_report.tt2,
mail_tt2/review.tt2, src/lib/Commands.pm, src/lib/List.pm,
src/lib/tt2.pm, web_tt2/edit_list_request.tt2,
web_tt2/review_family.tt2, web_tt2/search_user.tt2,
web_tt2/suboptions.tt2, web_tt2/subscriber_table.tt2,
web_tt2/suspend_request.tt2, wwsympa/wwslib.pm,
wwsympa/wwsympa.fcgi.in: i18n of options for list parameters and
subscriber options.
- Options on edit_list page are shown by i18n'ed titles.
- Only listmasters can view real config values.
- Subscriber options on review pages, command results, subscriber
option pages and so on are shown by i17n'ed titles (along with real
option values).
***** [10051] src/lib/tt2.pm, web_tt2/Makefile.am, web_tt2/css.tt2,
***** web_tt2/ja_JP, web_tt2/ja_JP/css.tt2, web_tt2/ko_KR,
***** web_tt2/ko_KR/css.tt2, web_tt2/main.tt2, web_tt2/zh_CN,
***** web_tt2/zh_CN/css.tt2, web_tt2/zh_TW, web_tt2/zh_TW/css.tt2,
***** wwsympa/wwsympa.fcgi.in: Per-language css.tt2 will override any
***** portion of main css, not fully replacing it. So they may be used for
***** locale-specific customization.
***** Background: Default css.tt2 specifies the font families covering
***** Western scripts (Latin, Cyrillic, ...). East Asian users may prefer
***** consistent font family supporting Western along with Eastern scripts
***** (Han, Hangul, ...).
[9966] src/lib/Message.pm, src/lib/confdef.pm: New site config
parameter "sender_headers" to specify header fields by which message
sender is detected.
This is a enhancement to S. Shipway's improvement.
[9963] web_tt2/review.tt2, web_tt2/show_exclude.tt2,
wwsympa/wwsympa.fcgi.in: [Reported by so many listmasters we lost the
count] Exclusion table was just a display of the users excluded. list
owners could not do anything to restore subscriptions;
This page is now a form, similar to the review page, which allows to
restore users subscriptions.
[9951] src/lib/List.pm: Now you can define a "scenari" directory in
the lists family directory. These scenarii will be available for lists
instantiated from this family.
The "scenari" directory must be put directly in the family directory,
not in the overall "families" directory. For example, if you want to
define scenarii specific to the "staff" family, you must define a
scenari directory in the /home/sympa/etc/families/staff/ directory. Not
in /home/sympa/etc/families/.
***** [9989] configure.ac, src/Makefile.am, src/alias_manager.pl.in,
***** src/etc/script/ldap_alias_manager.pl.in,
***** src/etc/script/mysql_alias_manager.pl.in, src/lib/confdef.pm,
***** src/sympa_newaliases-wrapper.c, src/sympa_newaliases.pl.in: Now alias
***** maintenance utilities other than newaliases may be used without special
***** configure options nor patch to alias_manager.pl.
***** Changes:
***** - aliaswrapper and virtualwrapper were deprecated and replaced with
***** sympa_newaliases-wrapper.
***** - New alias management program sympa_newaliases.pl which will typically be
***** called by alias_manager.pl via sympa_newaliases-wrapper.
***** - New site configuration parameters aliases_db_type and aliases_program
***** will control behaviour of alias database maintenance.
***** - configure script:
***** - Options --with-sendmail_aliases and --with-virtual_aliases were
***** deprecated. Use --with-aliases_file instead.
***** - New options --with-makemap and --with-postalias, along with
***** options --with-newaliases and --with-postmap are available.
***** - Option --with-postmap_arg was removed.
***** - Alias managers can handle postmap/makemap style maps (delimited by
***** whitespace), not only newaliases style maps (delimited by colon).
[9953] wwsympa/wwsympa.fcgi.in: [Submitted by S. Shipway, univ.
Auckland] several changes in privilegs to ease everyday lists
moderation:
- Owners and lismasters can moderate messages and shared repository
- Editors can moderate subscriptions
- 'del' and 'add' sceanrios are evaluated to make their result
available in each page.
[8451] src/etc/Makefile.am, src/etc/create_list_templates/confidential,
src/etc/create_list_templates/confidential/comment.tt2,
src/etc/create_list_templates/confidential/config.tt2,
src/etc/scenari/send.confidential: New "confidential" list model.
These lists are used for groups who don't want any publicity around
their activities; All possible restrictions are applied to prevent
unauthorized users to know these lists exist and to learn anything
about them.
[8454] web_tt2/footer.tt2, web_tt2/tt2_error.tt2: Removing references
to the Sympa version in web pages to avoid pages to be searched by bad
guys willing to exploit known vulnerabilities on out of date servers.
For complete list of changes, see
http://www.sympa.org/distribution/latest-stable/NEWS
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
series, users are encouraged to read /usr/pkg/share/doc/sympa/NEWS for
details. Summary of new features:
*** New bulk.pl daemon installed with Sympa. This daemon is dedicated to
mail distribution and allows to parallelize this process on a single
server as well as on multiple servers.
*** [Olivier Lumineau, CRU] Fresh new web CSS for the web interface.
*** Replace storage of password with encryption by md5 fingerprint. This
make remind password impossible. So now a one time ticket table is created
ticket are sent by email as an authentication token. Ticket can be used
for lost password, create account, moderation request . It should be
generalized to all operation that need a email chalenge.
*** New propertie in object message : spam_status . This feature is used in
modindex (listing of message waiting for moderation) to show message
tagued as spam.
4 new parameters :
- antispam_feature default off
- antispam_tag_header_name default X-Spam-Status
- antispam_tag_header_spam_regexp default ^\s*Yes
- antispam_tag_header_ham_regexp default ^\s*No
*** DKIM : Sympa now supports DKIM for message diffusion and control.
*** web_tt2/Makefile.am, web_tt2/ca.tt2, web_tt2/lca.tt2,
wwsympa/wwsympa.fcgi.in: It is now possible to create Custom actions
at the list or robot level. These custom actions allow you to create
new pages in the Sympa web interface. for now, you can only display
informations using this method. any post treatment (such as form
submission) must be handled outside of Sympa. See
https://www.sympa.org/manual_6.1/customizing#custom_actions for more
details.
*** [Submitted by J. jourdan] "suspension of membership." The user can suspend
his subscription to the lists
that he subscribes. For a finite length or not. Added a calendar in
javascript to select a date.
Also, lots of translastion updates, and bug fixes (including security ones)
to trigger/signal a rebuild for the transition 5.10.1 -> 5.12.1.
The list of packages is computed by finding all packages which end
up having either of PERL5_USE_PACKLIST, BUILDLINK_API_DEPENDS.perl,
or PERL5_PACKLIST defined in their make setup (tested via
"make show-vars VARNAMES=..."), minus the packages updated after
the perl package update.
sno@ was right after all, obache@ kindly asked and he@ led the
way. Thanks!
escalation vulnerabilities) and updated translations:
* Sympa was not fully compliant to the RFC 2616, leading for example
to possible unwanted list deletion by administrators using prefetching
tools. This was fixed by replacing all the threatening GET requests
by POST requests;
* Use of sprint() function for creating SQL queries lead to possible
SQL injection through cookie manipulation;
* The use of files in /tmp lead to vulnerabilities.
Features:
po/ja.po, po/web_help_ja.po: update Japanese translation of the user
interface, add Japanese translation of online help
po/ru.po: Updated Russian translation.
src/Commands.pm: [#3990][Submitted by A. Berstein, electricembers.net] The
quiet option has been reactivated for the "reject" mail command.
Bug fixes:
wwsympa/archived.pl: [Reported by M. Kretchner, INRIA] It was impossible
to remove a message from web archives or rebuild these archives.
check_perl_modules.pl: [Reported by M. Gorecka-Wolniewicz,
Nicolaus Copernicus univ., Torun] In some cases, CAS logout didn't work.
src/task_manager.pl, wwsympa/archived.pl, wwsympa/bounced.pl: [#3957]
[Reported by O. Berger, Telecom & Management SudParis] When launching
Sympa daemons (other than sympa.pl) with an unknown option, the daemon
was still launched instead of failing to launch.
to trigger/signal a rebuild for the transition 5.8.8 -> 5.10.0.
The list of packages is computed by finding all packages which end
up having either of PERL5_USE_PACKLIST, BUILDLINK_API_DEPENDS.perl,
or PERL5_PACKLIST defined in their make setup (tested via
"make show-vars VARNAMES=...").
Fix CVE-2008-1648 (denial of service)
Several new translations (some of them disabled, because of missing locale
support on NetBSD-3).
Introduction of HTTP session in order to replace a lot of cookies, for better
usability and security. This also allows some new features, from
listing active session in admin page to crawler detection.
per list custom user attributes (defined by the list owner)
per list custom list parameters for use in authorization scenarios and
mail templates
LDAP alias manager can now be LDAPS
XSS protection
Session hijacking protection
The performances mainly regarding the web interface have been
significantly improved.
new SOAP features allow remote list creation, ADD and DEL of list members
Automatic list creation when a message is sent for the list.
each operations that changes the status of messages/subscriptions/list config
is now logged in a structured DB entry.
Generalization of UTF-8
and more ... See http://www.sympa.org/ for complete list.
the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
an extra html/ directory being created in docs. Changes html/ to html/.
to avoid this extra directory on netbsd-4. Should definitively fix
pkg/36007.
Bump PKGREVISION.
Main changes since 4.1.2:
Full virtual robot support ; you can now create 2 lists with the same name in
different virtual robots
Message topics : list messages can be tagged with topics. List owner defines
a set of topics for the list. List members can select topics and only
receive related messages.
Sympa is now VERP enabled
new return_path_suffix parameter in sympa.conf
new 'digest_max_size' list parameter. If a digest exceeds this limit, then
multiple messages are sent.
New set of web templates, CSS and XHTML compatible.
RSS channels are providing the following features :
* latest messages in list archives
* latest documents in web repository
* latest created mailing lists
* most active mailing lists
Also, lots of other small features, translations and bug fixes.
developer is officially maintaining the package.
The rationale for changing this from "tech-pkg" to "pkgsrc-users" is
that it implies that any user can try to maintain the package (by
submitting patches to the mailing list). Since the folks most likely
to care about the package are the folks that want to use it or are
already using it, this would leverage the energy of users who aren't
developers.
backslashes anymore. A single backslash is enough. Changed the
definition in all affected packages. For those that are not caught, an
additional check is placed into bsd.pkginstall.mk.
