Change log for mailman package in Debian
1 → 51 of 51 results | First • Previous • Next • Last |
Published in buster-release |
mailman (1:2.1.29-1+deb10u5) buster; urgency=medium * Non-maintainer upload by the Security Team. * CSRF check for user tokens should not be case sensitive (Closes: #1001685) - The fix for CVE-2021-42097 requires that the user submitting a user options form match the user in the CSRF token submitted with the form, but the match is case sensitive and should not be. - There is also a potential NameError exception in logging a mismatch. -- Salvatore Bonaccorso <email address hidden> Sat, 26 Feb 2022 20:17:25 +0100
Published in stretch-release |
mailman (1:2.1.23-1+deb9u5) stretch-security; urgency=high * Upload to strech for security issue. * Fix stored cross site scripting in attachment extensions. -- Thijs Kinkhorst <email address hidden> Thu, 23 Apr 2020 17:48:05 +0200
Superseded in buster-release |
mailman (1:2.1.29-1+deb10u1) buster-security; urgency=high * Upload to buster for security issue. * Fix stored cross site scripting in attachment extensions. -- Thijs Kinkhorst <email address hidden> Fri, 24 Apr 2020 16:27:05 +0200
Superseded in stretch-release |
mailman (1:2.1.23-1+deb9u4) stretch; urgency=medium * Non-maintainer upload. * Arbitrary text injection vulnerability in Mailman CGIs (CVE-2018-13796) (Closes: #903674) -- Salvatore Bonaccorso <email address hidden> Mon, 03 Sep 2018 22:00:38 +0200
mailman (1:2.1.29-1) unstable; urgency=medium * New upstream release. - Fixes CVE-2018-13796 -- Thijs Kinkhorst <email address hidden> Wed, 05 Sep 2018 05:03:24 +0000
Available diffs
- diff from 1:2.1.27-1 to 1:2.1.29-1 (388.6 KiB)
Superseded in sid-release |
mailman (1:2.1.27-1.1) unstable; urgency=medium * Non-maintainer upload. * Arbitrary text injection vulnerability in Mailman CGIs (CVE-2018-13796) (Closes: #903674) -- Salvatore Bonaccorso <email address hidden> Sun, 02 Sep 2018 22:23:45 +0200
mailman (1:2.1.27-1) unstable; urgency=medium * New upstream release. * Run dh_autoreconf to make build reproducble (closes: 889637). Thanks Chris Lamb for the patch. * Drop Debian patches mangling translations, upstream is in a much better shape nowadays (closes: 901810). * Checked for policy 4.1.4, no changes. * Set a SUBSCRIBE_FORM_SECRET in mm_cfg.py on new installs, to add protection against subscription spam in the default installation. Existing installs will not be changed because it might break external subscribe forms (closes: 900648). -- Thijs Kinkhorst <email address hidden> Sat, 23 Jun 2018 13:23:17 +0000
Available diffs
- diff from 1:2.1.26-1 to 1:2.1.27-1 (856.6 KiB)
Published in jessie-release |
mailman (1:2.1.18-2+deb8u2) jessie-security; urgency=high * CVE-2018-5950: XSS and information leak in user options. (Closes: #888201). -- Thijs Kinkhorst <email address hidden> Thu, 08 Feb 2018 07:30:49 +0100
Superseded in stretch-release |
mailman (1:2.1.23-1+deb9u2) stretch-security; urgency=high * CVE-2018-5950: XSS and information leak in user options. (Closes: #888201) -- Thijs Kinkhorst <email address hidden> Thu, 08 Feb 2018 07:54:28 +0100
mailman (1:2.1.26-1) unstable; urgency=medium * New upstream release. - Fixes XSS in user options CGI (CVE-2018-5950, closes: #888201) * Document that this is the legacy branch of Mailman and that all major development is focused on Mailman 3 (package mailman3). -- Thijs Kinkhorst <email address hidden> Sun, 04 Feb 2018 18:23:18 +0000
Available diffs
- diff from 1:2.1.25-1 to 1:2.1.26-1 (98.0 KiB)
mailman (1:2.1.25-1) unstable; urgency=medium * New upstream release. * Checked for policy 4.1.3: removed init.d invocation from prerm and also from user instructions. * Upgraded to debhelper compat level 11. * Replace init script with systemd service file. Thanks a lot to Stefan Bühler for the helpful suggestion! This also should improve robustness against log rotation. (Closes: #881329, #733475, #505638) * Packaging cleanups. -- Thijs Kinkhorst <email address hidden> Sun, 07 Jan 2018 18:22:51 +0000
Available diffs
- diff from 1:2.1.24-1 to 1:2.1.25-1 (367.7 KiB)
Superseded in stretch-release |
mailman (1:2.1.23-1+deb9u1) stretch; urgency=medium * Fixed broken dependencies in SpamAssassin.py (Closes: #838288). Thanks Stephen Rothwell for the patch. -- Thijs Kinkhorst <email address hidden> Thu, 14 Sep 2017 12:23:04 +0200
mailman (1:2.1.24-1) unstable; urgency=medium * New upstream release. * Fixed broken dependencies in SpamAssassin.py (Closes: #838288). Thanks Stephen Rothwell for the patch. -- Thijs Kinkhorst <email address hidden> Tue, 05 Sep 2017 14:31:54 +0000
Available diffs
- diff from 1:2.1.23-1 to 1:2.1.24-1 (329.8 KiB)
Superseded in jessie-release |
mailman (1:2.1.18-2+deb8u1) jessie-security; urgency=high * CVE-2016-6893: Fix CSRF vulnerability associated in the user options page which could allow an attacker to obtain a user's password. (Closes: #835970) -- Thijs Kinkhorst <email address hidden> Thu, 15 Sep 2016 07:47:56 +0200
mailman (1:2.1.23-1) unstable; urgency=medium * New upstream release. - Fixes CSRF in user options (CVE-2016-6893, closes: #835970). -- Thijs Kinkhorst <email address hidden> Tue, 13 Sep 2016 16:01:59 +0000
Available diffs
- diff from 1:2.1.22-1 to 1:2.1.23-1 (1.4 MiB)
mailman (1:2.1.22-1) unstable; urgency=medium * New upstream release. (Closes: #821367) * Checked for policy 3.9.8, no changes. -- Thijs Kinkhorst <email address hidden> Mon, 25 Apr 2016 16:39:06 +0000
Available diffs
- diff from 1:2.1.20-1 to 1:2.1.22-1 (921.2 KiB)
Published in wheezy-release |
mailman (1:2.1.15-1+deb7u1) wheezy-security; urgency=high * Fix security issue: path traversal through local_part. Affects installations which use an Exim or Postfix transport instead of fixed aliases; attacker needs to be able to place files on the local filesystem. (CVE-2015-2775, Closes: 781626) -- Thijs Kinkhorst <email address hidden> Mon, 06 Apr 2015 18:17:34 +0200
mailman (1:2.1.20-1) unstable; urgency=medium * New upstream release. (Closes: #779911) - Drop obsolete patches: 92_CVE-2015-2775.patch * Checked for policy 3.9.6, no changes. * Update to debhelper compat level 9. * Make postfix-to-mailman.py work with the full recipient email address, solving an issue when recipient_delimiter = "-". To take advantage of this, change "${user}" to "${recipient}" in Postfix' master.cf. Patch by Brian O'Connor. (Closes: #578986) * Make package build reproducibly by using install instead of cp for installing qmail-to-mailman.py. Patch by Jérémy Bobbio. (Closes: #783151) * Update example apache.conf for Apache 2.4. * Add cron-daemon as dependency alternative to cron. (Closes: #785193) -- Thijs Kinkhorst <email address hidden> Thu, 14 May 2015 14:09:42 +0000
Available diffs
- diff from 1:2.1.18-2 to 1:2.1.20-1 (1.7 MiB)
mailman (1:2.1.18-2) unstable; urgency=high * Fix security issue: path traversal through local_part. Affects installations which use an Exim or Postfix transport instead of fixed aliases; attacker needs to be able to place files on the local filesystem. (CVE-2015-2775, Closes: 781626) -- Thijs Kinkhorst <email address hidden> Mon, 06 Apr 2015 15:36:15 +0000
Available diffs
mailman (1:2.1.18-1) unstable; urgency=medium * New upstream release. - Adds DMARC support. (Closes: #746592) - Drop obsolete patches: 20_qmail_to_mailman.debian.patch 80_sync_members_unicode.patch * Add lsb-release to debian/tests/control. (Closes: #734180) * Fix ownership on /var/lib/mailman/archives/private as upstream suggests, also reflecting group ownership for public archives. Thanks Luca Capello! (closes: #603904) * Checked for policy 3.6.5, no changes. -- Thijs Kinkhorst <email address hidden> Thu, 10 Jul 2014 19:27:46 +0200
Available diffs
- diff from 1:2.1.16-2 to 1:2.1.18-1 (722.4 KiB)
mailman (1:2.1.16-2) unstable; urgency=medium * Upload to unstable, as requested by Thijs; we did not encounter any unexpected trouble with the version in experimental, and it does fix an RC bug as well as a release goal. -- Thorsten Glaser <email address hidden> Mon, 03 Feb 2014 14:00:37 +0100
Available diffs
- diff from 1:2.1.16-1 to 1:2.1.16-2 (11.3 KiB)
Deleted in experimental-release (Reason: None provided.) |
mailman (1:2.1.16-1exp2) experimental; urgency=low * Try harder to use UTF-8 -- Thorsten Glaser <email address hidden> Sun, 29 Dec 2013 14:40:17 +0000
Superseded in experimental-release |
mailman (1:2.1.16-1exp1) experimental; urgency=low * Convert to UTF-8. (Closes: #398777, #535296, #732929) * Apply upstream bugfix for sync_members. (Closes: #732741) -- Thorsten Glaser <email address hidden> Sun, 29 Dec 2013 02:08:38 +0000
mailman (1:2.1.16-1) unstable; urgency=low * New upstream release. -- Thijs Kinkhorst <email address hidden> Wed, 06 Nov 2013 19:57:54 +0100
Available diffs
- diff from 1:2.1.16~rc2-1 to 1:2.1.16-1 (366.0 KiB)
mailman (1:2.1.16~rc2-1) unstable; urgency=low [ Thijs Kinkhorst ] * New upstream release candidate. - Exposes message-id to templates (closes: #614340). * Remove obsolete patches, applied upstream: 21_newlist_help.patch * Updates to Russian debconf templates, thanks Ivan Krylov! (closes: #710268). * Needs at least version 3.8.0 of logrotate (closes: #687215). * Add autopkgtests, thanks Yolanda Robla! (closes: #710095) * Packaging cleanup: checked for policy 3.9.4, update Vcs URL, recommend default-mta instead of exim4. [ Thorsten Glaser ] * Prevent losing stderr in the init script when there are many lists. (closes: #702002) * debian/watch: mangle the epoch away so DDPO is green again. -- Thijs Kinkhorst <email address hidden> Sun, 04 Aug 2013 12:00:05 +0200
Available diffs
mailman (1:2.1.15-1) unstable; urgency=low * New upstream release. * Improve Exim4 instructions, thanks Andrew Hodgson. * Remove obsolete PRIVATE_ARCHIVE_URL variable, thanks Matthew Hall (closes: #676481). * Correct mmarch man page, thanks Francesco Potortì (closes: #583369). * Specify need for MTA=None in postfix-to-mailman.py (closes: #648976). -- Thijs Kinkhorst <email address hidden> Sat, 16 Jun 2012 12:04:40 +0200
Available diffs
- diff from 1:2.1.15~rc1-1 to 1:2.1.15-1 (3.7 KiB)
mailman (1:2.1.15~rc1-1) unstable; urgency=low [ Thijs Kinkhorst ] * New upstream release candidate. * Remove obsolete patches, applied upstream: 02_use_dpkg_buildflags.patch 07_snooze.patch 59_fix_missing_language_crash.patch 70_invalid_utf8_dos.patch 71_date_overflows.patch 74_admin_non-ascii_emails.patch 80_CVE-2011-0707_confirm_xss.patch 99_js_templates.patch [ Thorsten Glaser ] * Update the watch file for Launchpad -- Thijs Kinkhorst <email address hidden> Sun, 20 May 2012 14:01:42 +0200
Available diffs
- diff from 1:2.1.14-4 to 1:2.1.15~rc1-1 (1.1 MiB)
mailman (1:2.1.14-4) unstable; urgency=low * Ensure CPPFLAGS and LDFLAGS are actually used during build, thanks Simon Ruderich for the patch! (closes: #663590) Additionally, enable all available hardening features. * Checked for policy 3.9.3, add DEP3 patch headers. * Add Danish debconf translation, thanks Joe Dalton (closes: #659467). * Add 'su root list' statements to logrotate config, to cope with logrotate >= 3.8; thanks Joël Bertrand (closes: #653766). * Avoid config file prompt for mailman crontab entry if this file was unmodified (closes: #655837). -- Thijs Kinkhorst <email address hidden> Sun, 18 Mar 2012 14:12:49 +0100
Available diffs
mailman (1:2.1.14-3) unstable; urgency=low * Make man page descruptions match more keywords (closes: #597112). * Add cull_bad_shunt command to default cron job (closes: #615204) and improve cron job handling in the package. * Import dpkg buildflags, also enabling hardening features. * Remove gate_news debconf question. -- Thijs Kinkhorst <email address hidden> Sat, 08 Oct 2011 17:27:51 +0200
Published in lenny-release |
mailman (1:2.1.11-11+lenny2) oldstable-security; urgency=high * Upload to lenny-security. * CVE-2010-3089: cross-site scripting (XSS) vulnerabilities which can be exploited by list administrators (Closes: 599833). * CVE-2011-0707: Cross site scripting in subscriber names. -- Thijs Kinkhorst <email address hidden> Wed, 16 Feb 2011 21:02:42 +0100
mailman (1:2.1.14-2) unstable; urgency=low [ Thijs Kinkhorst ] * Move mail-transport-agent to Recommends, since Mailman can be configured to run with a remote MTA (closes: #616292). * Update to policy 3.9.2, add build-{arch,indep} targets. [ Thorsten Glaser ] * Add myself to Uploaders, as suggested by Thijs. * Apply patch from Barry Warsaw to switch from python-support to dh_python2. (LP: #788514) (Closes: #637398) -- Thijs Kinkhorst <email address hidden> Wed, 17 Aug 2011 12:00:50 +0000
Available diffs
- diff from 1:2.1.14-1 to 1:2.1.14-2 (1.9 KiB)
Published in squeeze-release |
mailman (1:2.1.13-5) stable-security; urgency=high * Upload to stable to fix security issue. * CVE-2011-0707: Cross site scripting in subscriber names. -- Thijs Kinkhorst <email address hidden> Wed, 16 Feb 2011 20:36:49 +0100
mailman (1:2.1.14-1) unstable; urgency=medium * New upstream release. Patches incorporated: - 15_mailmanctl_daemonize.patch - 83-CVE-2010-3089--bug599833.patch * Add upstream patch for CVE-2011-0707: XSS in confirmations. -- Thijs Kinkhorst <email address hidden> Sat, 19 Feb 2011 08:26:43 +0100
mailman (1:2.1.13-4.1) unstable; urgency=high * Non-maintainer upload. * debian/patches - (83): New. CVE-2010-3089 security fix from mailman 2.14. Patch thanks to <email address hidden> (grave, security; Closes: #599833). -- Jari Aalto <email address hidden> Sat, 16 Oct 2010 08:46:55 +0300
mailman (1:2.1.13-4) unstable; urgency=medium * Fix permissions on /var/lib/mailman/archives/private, so archiving works again. Problem introduced in 1:2.1.12-3. * Fix invocation of update-rc.d which yields an error when not using dependency-based boot (closes: #590249). * Checked for policy 3.9.1, no changes needed. -- Thijs Kinkhorst <email address hidden> Tue, 27 Jul 2010 22:56:03 +0200
mailman (1:2.1.13-3) unstable; urgency=low * Drop unneeded Indexes option from shipped apache.conf. * Eliminate update_rc.d warning by not passing runlevel 1 at stop. * Add 25_site_logo patch by Paul Wise (closes: #267243). * Do not compress PDF's under /u/s/d/mailman (closes: #582259). * Back up ./configure before running autoconf, so it can be restored in clean as not to generate irrelevant diff.gz content. * Switch to dpkg-source 3.0 (quilt) format. * Checked for policy 3.9.0, no changes needed. -- Thijs Kinkhorst <email address hidden> Tue, 13 Jul 2010 21:35:40 +0200
Superseded in lenny-release |
mailman (1:2.1.11-11+lenny1) stable-proposed-updates; urgency=low * Disable 32_MIME_fixup.patch. This has meanwhile been addressed differently by upstream, and now has the effect of adding a second Mime-Version header to some types of message. This in turn is a trigger to some SPAM filters to ban the message. (Closes: #581988, #310180). -- Thijs Kinkhorst <email address hidden> Mon, 17 May 2010 22:51:56 +0200
mailman (1:2.1.13-2) unstable; urgency=low * postfix-to-mailman.py: check for list existence before stripping off administrative suffixes, making it also work for mailing list names ending in e.g. -admin. Thanks Axel Beckert for the patch! (Closes: #570548) * Checked for policy 3.8.4, no changes. * Minor fixes pointed out by Lintian. -- Thijs Kinkhorst <email address hidden> Sat, 20 Mar 2010 21:57:55 +0100
mailman (1:2.1.13-1) unstable; urgency=low * New upstream release. Patches incorporated: - 16_update_debian (partially) - 30_pipermail_threads - 65_handle_templates_directories - 77_header_folding_in_attachments * Remove msgfmt.py, only used at build-time (closes: #555416). * Remove adduser calls for 'list' user. Base-passwd guarantees it to be available, and trying to add it if it were not present may lead to inconsistencies regarding expectations for that user. * Document second parameter of postfix-to-mailman.py to be ${mailbox}, effectively reverting inappropriate fix for #305762 (closes: #549224). -- Thijs Kinkhorst <email address hidden> Thu, 31 Dec 2009 15:50:29 +0100
mailman (1:2.1.12-3) unstable; urgency=low * Remove potentially long running 'find' command in postinst, as permissions are already set correctly in the deb. Thanks Paul Slootman (closes: #544046). * Add Slovak debconf translation, thanks Ivan Masár (closes: #531576). * Update 30_pipermail_threads patch to use sequence ID instead of message ID, avoids thread breakage in archives. Thanks Mark Sapiro. * Checked for policy 3.8.3, no changes necessary. -- Thijs Kinkhorst <email address hidden> Sun, 27 Sep 2009 17:36:01 +0200
mailman (1:2.1.12-2) unstable; urgency=low [ Lionel Elie Mamane ] * README.Exim4.Debian: add debug_print statements * apply fix from upstream to 77_header_folding_in_attachments to fix bug it introduces: messages with lines starting with "From" are split into several messages in the archive. * Use autoconf >= 2.50, not 2.13 * Ensure Mailman locks directory exists before calling update (Closes: #513988). [ Thijs Kinkhorst ] * Apply patch from Tanguy Ortolo updating postfix-to-mailman instructions to avoid backscatter mail (Closes: #520040). * Remove obsolete unicodify_archives for upgrading sarge->etch. -- Lionel Elie Mamane <email address hidden> Fri, 22 May 2009 11:09:49 +0200
mailman (1:2.1.12-1) unstable; urgency=low * New upstream release. + Minimum Python version is now 2.4. + Patches obsoleted (incorporated or not useful anymore): 00_stolen_from_HEAD, 11_handle_propfind.patch, 32_MIME_fixup, 62_new_list_bad_pending_requests, 67_update_handle_old_versions, 68_update_catalan, 78_DeprecationWarning, 80_fix_string_search. Refresh all others. Many thanks to Mark Sapiro and Paul Wise for the help in cleaning this up. + Fixes bounce handling NotAMemberError (closes: #517997). * Various packaging cleanups, upgrade debhelper to level 7. * Removes embedded copy of pythonlib/email module. * Checked for policy 3.8.1, remove shipped var/{run,lock} dirs, they are already created correctly by the init script. -- Thijs Kinkhorst <email address hidden> Sat, 14 Mar 2009 14:18:16 +0100
mailman (1:2.1.11-11) unstable; urgency=high [ Debconf Translations ] * Updated Vietnamese, thanks Clytie Siddall (closes: #513097). -- Thijs Kinkhorst <email address hidden> Mon, 26 Jan 2009 13:42:33 +0100
Superseded in sid-release |
mailman (1:2.1.11-10) unstable; urgency=low [ Debconf Translations ] * Updated Catalan, thanks David Planella. -- Thijs Kinkhorst <email address hidden> Wed, 07 Jan 2009 23:09:56 +0100
mailman (1:2.1.11-9) unstable; urgency=high [ Debconf Translations ] * Updated Spanish, thanks Javier Fernández-Sanguino (closes: #510023). * Updated Japanese, thanks Kenshi Muto (closes: #509996). * Updated Galician, thanks Marce Villarino (closes: #510002). * Updated French, thanks Christian Perrier (closes: #510016). * Updated Italian, thanks Luca Monducci (closes: #510107). * Updated Swedish, thanks Martin Bagge and Daniel Nylander (closes: #510206). * Updated Czech, thanks Miroslav Kure (closes: #510230). * Updated German, thanks Holger Wansing (closes: #510361). * Updated Portuguese, thanks Miguel Figueiredo (closes: 510556). * Updated Russian, thanks Sergey Alyoshin (closes: #510614). -- Thijs Kinkhorst <email address hidden> Sun, 04 Jan 2009 12:30:58 +0100
Superseded in sid-release |
mailman (1:2.1.11-8) unstable; urgency=low * Do not stop installation when queue files are present, and this is an upgrade from the same version that was already installed. Based on a patch by Marcin Owsiany (closes: #468569). * When queue files present, offer the administrator the option to continue regardless at their own risk. This unfortunately requires some extra strings to be translated. * Update Dutch translation. * Remove mail-transport-agent from init script deps (closes: #508800). -- Thijs Kinkhorst <email address hidden> Sat, 27 Dec 2008 15:18:55 +0100
mailman (1:2.1.11-7) unstable; urgency=low [ Thijs Kinkhorst ] * Clarify POSTFIX_STYLE_VIRTUAL_DOMAINS syntax, thanks Tomas Pospisek (closes: #507519). [ Lionel Elie Mamane ] * README.Exim4.Debian: Do lookup whole email (with domain, not only localpart) in virtual_mailman data file (bug introduced in 1:2.1.11-4) * README.Exim4.Debian: explain how to regenerate the aliases list manually (for people switching their existing configuration to the recommended one, or switching MTAs, as opposed to setting up a fresh system). -- Thijs Kinkhorst <email address hidden> Sat, 13 Dec 2008 18:40:34 +0100
mailman (1:2.1.11-6) unstable; urgency=high * Further site list detection improvements, thanks Adeodato Simó for his suggestions. -- Thijs Kinkhorst <email address hidden> Sun, 16 Nov 2008 13:17:10 +0100
Superseded in sid-release |
mailman (1:2.1.11-5) unstable; urgency=high * Make init script also cope with non-specified site list. -- Thijs Kinkhorst <email address hidden> Sun, 09 Nov 2008 11:26:46 +0100
Superseded in sid-release |
mailman (1:2.1.11-4) unstable; urgency=medium [ Lionel Elie Mamane ] * Add -loop to list of accepted suffixes for routers in README.Exim4.Debian [ Thijs Kinkhorst ] * Add mischief to logrotate configuration (closes: #504700). * Update Mailman group and aliases path in README.Exim4.Debian, thanks Kris Popendorf (closes: #504695). * Detect a nonstandard site list name, thanks Moritz Naumann (closes: #418062). -- Thijs Kinkhorst <email address hidden> Fri, 07 Nov 2008 09:48:10 +0100
mailman (1:2.1.11-3) unstable; urgency=low * Updated Catalan debconf translation, thanks David Planella Molas (Closes: #494110). * Added patch 68_update_catalan to update Catalan program translation, thanks Jordi Mallach (Closes: #492297). * Add a README.source file referring to quilt. -- Thijs Kinkhorst <email address hidden> Mon, 11 Aug 2008 16:06:19 +0200
1 → 51 of 51 results | First • Previous • Next • Last |