From VM Wed Mar 7 11:06:03 2001
X-VM-v5-Data: ([nil nil nil nil nil nil nil nil nil]
[nil "Tuesday" "6" "March" "2001" "09:29:58" "-0800" "Mail Delivery System" "MAILER-DAEMON@keftamail.com" nil "185" "Undelivered Mail Returned to Sender" "^From:" nil nil "3" nil nil nil nil nil]
nil)
Return-Path: <mailman-announce-admin@python.org>
Delivered-To: bwarsaw@wooz.org
Received: from digicool.com (host15.digitalcreations.d.subnet.rcn.com [208.59.6.15])
by mail.wooz.org (Postfix) with ESMTP id 6C2DCD37AC
for <barry@wooz.org>; Tue, 6 Mar 2001 12:30:35 -0500 (EST)
Received: from <mailman-announce-admin@python.org>
by digicool.com (CommuniGate Pro RULES 3.4)
with RULES id 1650903; Tue, 06 Mar 2001 12:33:44 -0500
Received: from ns2.digicool.com ([216.164.72.2] verified)
by digicool.com (CommuniGate Pro SMTP 3.4)
with ESMTP id 1650896 for barry@mail.digicool.com; Tue, 06 Mar 2001 12:33:44 -0500
Received: from mail.python.org (mail.python.org [63.102.49.29])
by ns2.digicool.com (8.9.3/8.9.3) with ESMTP id MAA08939
for <barry@digicool.com>; Tue, 6 Mar 2001 12:31:02 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=mail.python.org)
by mail.python.org with esmtp (Exim 3.21 #1)
id 14aLIc-0001Wp-00
for barry@digicool.com; Tue, 06 Mar 2001 12:31:02 -0500
Received: from [64.75.1.85] (helo=postal-worker1.kefta.com)
by mail.python.org with esmtp (Exim 3.21 #1)
id 14aLIB-0001VP-00
for mailman-announce-admin@python.org; Tue, 06 Mar 2001 12:30:35 -0500
Received: from mail1.kefta.com (mail1.kefta.com [10.0.2.1])
by postal-worker1.kefta.com (Keftamail) with ESMTP id E57BC4081
for <mailman-announce-admin@python.org>; Tue, 6 Mar 2001 09:24:31 -0800 (PST)
Received: by mail1.kefta.com (Keftamail) via BOUNCE
id 438064082; Tue, 6 Mar 2001 09:29:58 -0800 (PST)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="1EDF14081.983899798/mail1.kefta.com"
Message-Id: <20010306172958.438064082@mail1.kefta.com>
Precedence: bulk
List-Help: <mailto:mailman-announce-request@python.org?subject=help>
List-Post: <mailto:mailman-announce@python.org>
List-Subscribe: <http://mail.python.org/mailman/listinfo/mailman-announce>,
<mailto:mailman-announce-request@python.org?subject=subscribe>
List-Id: Announce-only list for Mailman releases and news <mailman-announce.python.org>
List-Unsubscribe: <http://mail.python.org/mailman/listinfo/mailman-announce>,
<mailto:mailman-announce-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/mailman-announce/>
From: MAILER-DAEMON@keftamail.com (Mail Delivery System)
Sender: mailman-announce-owner@python.org
To: mailman-announce-admin@python.org
Subject: Undelivered Mail Returned to Sender
Date: Tue, 6 Mar 2001 09:29:58 -0800 (PST)
X-Autogenerated: Mirror
X-Mirrored-by: <mailman-announce-admin@python.org>
X-BeenThere: mailman-announce@python.org
X-Mailman-Version: 2.0.2 (101270)
This is a MIME-encapsulated message.
--1EDF14081.983899798/mail1.kefta.com
Content-Description: Notification
Content-Type: text/plain
This is the Keftamail program at host mail1.kefta.com.
I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.
For further assistance, please contact <postmaster@keftamail.com>
If you do so, please include this problem report. You can
delete your own text from the message returned below.
The Keftamail program
<davidlowie@mail1.keftamail.com>: permission denied. Command output: Mail quota
exceeded.
--1EDF14081.983899798/mail1.kefta.com
Content-Description: Undelivered Message
Content-Type: message/rfc822
Received: from postal-worker2.kefta.com (postal-worker2.kefta.com [10.0.2.4])
by mail1.kefta.com (Keftamail) with ESMTP id 1EDF14081
for <davidlowie@mail1.keftamail.com>; Tue, 6 Mar 2001 09:29:58 -0800 (PST)
Received: by postal-worker2.kefta.com (Keftamail)
id F089940C9; Tue, 6 Mar 2001 09:29:37 -0800 (PST)
Delivered-To: davidlowie@keftamail.com
Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.7])
by postal-worker2.kefta.com (Keftamail) with ESMTP id BA59D40C0
for <davidlowie@KEFTAMAIL.COM>; Tue, 6 Mar 2001 09:29:37 -0800 (PST)
Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.7])
by lists.securityfocus.com (Postfix) with ESMTP
id 3A1C024CF8C; Tue, 6 Mar 2001 10:04:43 -0700 (MST)
Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM
(LISTSERV-TCP/IP release 1.8d) with spool id 27825191 for
BUGTRAQ@LISTS.SECURITYFOCUS.COM; Tue, 6 Mar 2001 10:03:25 -0700
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Received: from firewall.osb.hu (unknown [193.224.234.1]) by
lists.securityfocus.com (Postfix) with ESMTP id 48CD624C646 for
<BUGTRAQ@LISTS.SECURITYFOCUS.COM>; Tue, 6 Mar 2001 00:49:55 -0700
(MST)
Received: from pimpa.intranet.osb.hu (IDENT:root@pimpa.intranet.osb.hu
[192.168.0.8]) by firewall.osb.hu (8.9.3/8.9.3/Debian 8.9.3-21) with
ESMTP id IAA11531 for <BUGTRAQ@LISTS.SECURITYFOCUS.COM>; Tue, 6 Mar
2001 08:53:08 +0100
Received: from localhost (sp@localhost) by pimpa.intranet.osb.hu (8.9.3/8.9.3)
with ESMTP id IAA05518 for <BUGTRAQ@LISTS.SECURITYFOCUS.COM>; Tue, 6
Mar 2001 08:53:08 +0100
X-Authentication-Warning: pimpa.intranet.osb.hu: sp owned process doing -bs
X-Received: from firewall.osb.hu (fw.intranet.osb.hu [192.168.0.1]) by
pimpa.intranet.osb.hu (8.9.3/8.9.3) with ESMTP id JAA18698 for
<sp@pimpa.intranet.osb.hu>; Sat, 3 Mar 2001 09:41:17 +0100
X-Received: from pax.intranet.osb.hu (IDENT:root@pax.intranet.osb.hu
[192.168.0.2]) by firewall.osb.hu (8.9.3/8.9.3/Debian 8.9.3-21)
with ESMTP id JAA24373 for <sp@pimpa.intranet.osb.hu>; Sat, 3 Mar
2001 09:41:17 +0100
X-Received: from firewall.osb.hu (fw.intranet.osb.hu [192.168.0.1]) by
pax.intranet.osb.hu (8.9.3/8.9.3) with ESMTP id JAA09389 for
<sp@osb.hu>; Sat, 3 Mar 2001 09:41:16 +0100
X-Received: from mail.python.org (mail.python.org [63.102.49.29]) by
firewall.osb.hu (8.9.3/8.9.3/Debian 8.9.3-21) with ESMTP id
JAA24367 for <sp@osb.hu>; Sat, 3 Mar 2001 09:41:07 +0100
X-Received: from localhost.localdomain ([127.0.0.1] helo=mail.python.org) by
mail.python.org with esmtp (Exim 3.21 #1) id 14Z7OV-0000vs-00; Sat,
03 Mar 2001 03:28:03 -0500
X-Received: from [216.27.134.141] (helo=mail.wooz.org) by mail.python.org with
esmtp (Exim 3.21 #1) id 14Z7Nq-0000tq-00; Sat, 03 Mar 2001 03:27:22
-0500
X-Received: by mail.wooz.org (Postfix, from userid 889) id BE7B0D37AC; Sat, 3
Mar 2001 03:26:35 -0500 (EST)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Mailer: VM 6.84 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid
X-Attribution: BAW
X-Oblique-Strategy: Subvert your original idea
X-Url: http://www.wooz.org/barry
Errors-To: mailman-announce-admin@python.org
X-BeenThere: mailman-announce@python.org
X-Mailman-Version: 2.0.2 (101270)
Precedence: bulk
List-Help: <mailto:mailman-announce-request@python.org?subject=help>
List-Post: <mailto:mailman-announce@python.org>
List-Subscribe: <http://mail.python.org/mailman/listinfo/mailman-announce>,
<mailto:mailman-announce-request@python.org?subject=subscribe>
List-Id: Announce-only list for Mailman releases and news
<mailman-announce.python.org>
List-Unsubscribe: <http://mail.python.org/mailman/listinfo/mailman-announce>,
<mailto:mailman-announce-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/mailman-announce/>
X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)
ReSent-Subject: [Mailman-Announce] ANNOUNCE Mailman 2.0.2 (important privacy
patch)
Message-ID: <Pine.LNX.4.30.0103060853010.5499@pimpa.intranet.osb.hu>
Date: Tue, 6 Mar 2001 08:53:01 +0100
Reply-To: mailman-developers@python.org
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
Comments: RFC822 error: <W> CC field duplicated. Last occurrence was
retained.
Comments: Resent-From: Soos Peter <sp@osb.hu>
Comments: Originally-From: barry@digicool.com (Barry A. Warsaw)
From: Soos Peter <sp@OSB.HU>
Subject: [Mailman-Announce] ANNOUNCE Mailman 2.0.2 (important privacy
patch)
X-cc: mailman-developers@python.org
To: BUGTRAQ@SECURITYFOCUS.COM
I've just uploaded the Mailman 2.0.2 release to SourceForge. This is
a bug fix release that also fixes a potential privacy hole, which
could allow a list administrator to get access to user passwords.
Even with those passwords, I believe there's little additional harm
that a list admin could do, but still they probably shouldn't have
access to those passwords.
There are a few other important fixes in this release, so I recommend
that all sites running Mailman 2.0 or 2.0.1 should upgrade.
As usual I'm releasing this as both a complete tarball and as a patch
against Mailman 2.0.1. If you grab the patchfile, you'll want to cd
into your 2.0 source, and apply it like so:
% patch -p1 < mailman-2.0.1-2.0.2.diff
Currently only http://mailman.sourceforge.net is updated, but the
list.org and gnu.org sites should be updated soon. The release
information on SF is at
http://sourceforge.net/project/shownotes.php?release_id=25955
My thanks to Thomas Wouters for his help!
Enjoy,
-Barry
P.S. I'm not sure if I'll have time to release a 2.1 alpha of the I18N
stuff before I leave for the Python9 conference. If we get the
expected foot of snow between Sunday and Monday, it's a
possibility. ;)
[From the NEWS file]
2.0.2 (03-Mar-2001)
Security fix:
- A fix for a potential privacy exploit where a clever list
administrator could gain access to user passwords. This doesn't
allow them to do much more harm to the user then they normally
could, but they still shouldn't have access to the passwords.
Bug fixes:
- In the admindb page, don't complain when approving a
subscription of someone who's already on the list (SF bug
#222409 - Thomas Wouters).
Also, quote for HTML the Subject: text printed for held
messages, otherwise messages with e.g. "Subject: </table>" could
royally screw page formatting.
- In Netscape.py bounce processor, don't bomb out on ill-formed
messages (no semi-colon separating parameters), otherwise mail
delivery could grind to a halt. Bug reported by Kambiz
Aghaiepour.
- Docstring fix bin/newlist to remove mention of "immediate"
argument (Thomas Wouters).
- Fix for bin/update when PREFIX != VAR_PREFIX (SF bug #229794 --
Thomas Wouters).
_______________________________________________
Mailman-announce mailing list
Mailman-announce@python.org
http://mail.python.org/mailman/listinfo/mailman-announce
--1EDF14081.983899798/mail1.kefta.com--