Local change (which is why we have PKGREVISION=1)
Fix http://secunia.com/advisories/18449/ (CVE-2005-4153) based on debian
patches.
Changes between 2.1.6 and 2.1.7:
Security
- The fix for CAN-2005-0202 has been enhanced to issue an appropriate
message instead of just quietly dropping ./ and ../ from URLs.
- A note on CVE-2005-3573: Although the RFC2231 bug example in the CVE has
been solved in Mailman 2.1.6, there may be more cases where
ToDigest.send_digests() can block regular delivery. We put the
send_digests() calling part in a try/except clause and leave a message
in the error log if something happened in send_digests(). Daily call of
cron/senddigests will provide more detail to the site administrator.
- List administrators can no longer change the user's option/subscription
globally. Site admin can change these only if
mm_cfg.ALLOW_SITE_ADMIN_COOKIES is set to Yes.
- <script> tags are HTML-escaped in the edithtml CGI script.
- Since the probe message for disabled users may reach unintended
recipients, the password is excluded from sendProbe() and probe.txt.
Note that the default value of VERP_PROBE has been set to `No' from
2.1.6., thus this change doesn't affect the default behavior.
New Features
- Always remove DomainKey (and similar) headers from messages sent to the
list. (1287546)
- List owners can control the content filter behavior when collapsing
multipart/alternative parts to its first subpart. This allows the
option of letting the HTML part pass through after other content
filtering is done.
Internationalization
- New language: Interlingua.
Bug fixes and other patches
- Defaults.py.in: SCRUBBER_DONT_USE_ATTACHMENT_FILENAME is set to True for
safer operation.
- Fixed the bug where Scrubber.py munges quoted-printable by introducing
the 'X-Mailman-Scrubbed' header which marks that the payload is
scrubber-munged. The flag is referenced in ToDigest.py, ToArchive.py,
Decorate.py and Archiver. A similar problem in ToDigest.py where the
plain digest is generated is also fixed.
- Fixed Syslog.py to write quopri encoded messages when it fail to write
8-bit characters.
- Fixed MTA/Postfix.py to check aliases group permission in check_perms
and fixed mailman-install document on this matter (1378270).
- Fixed private.py to go to the original URL after authorization
(1080943).
- Fixed bounce log score messages to be more consistent.
- Fixed bin/remove_members to accept no arguments when both --fromall and
--file= options are specified.
- Changed cgi-bin and mail wrapper "group not found" error message to be
more descriptive of the actual problem.
- The list's ban_list now applies to address changes, admin mass
subscribes and invites, and to confirmations/approvals of address
changes, subscriptions and invitations.
- quoted-printable and base64 encoded parts are decoded before passing to
HTML_TO_PLAIN_TEXT_COMMAND (1367783).
- Approve: header is removed from posts, and treated the same as the
Approved: header. (1355707)
- Fixed the removal of the line following Approve[d]: line in body of
post. (1318883)
- The Approve[d]: <password> header is removed from all text/* parts in
addition the initial text/plain part. It must still be the first
non-blank line in the first text/plain part or it won't be found or
removed at all. (1181161)
- Posts are now logged in post log file with the true sender, not
listname-bounces. (1287921)
- Correctly initialize and remember the list's default_member_moderation
attribute in the web list creation page. (1263213)
- PEP263 charset is added to the config_list output. (1343100)
- Fixed header_filter_rules getting lost if accessed directly and
authentication was needed by login page. (1230865)
- Obscure email when the poster doesn't set full name in 'From:' header.
- Preambles and epilogues are taken into account when calculating message
sizes for holding purposes. (Mark Sapiro)
- Logging/Logger.py unicode transform option. (1235567)
- bin/update crashes with bogus files. (949117)
- Bugs and patches: 1212066/1301983 (Date header in create/remove notice)
68085448ca