From 3f53fd904700c5878733d39bec5aac89070257f5 Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Mon, 30 Jun 2008 08:32:26 -0700
Subject: - Bumped version to 2.1.11.

- Changed MailList.Create() to check that list name contains only characters
  that match the new mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS.

- Changed MTA.Utils.makealiases() to escape a few characters in the list name
  in the pipe command.
---
 NEWS | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'NEWS')

diff --git a/NEWS b/NEWS
index 704f14f2..ddc79973 100644
--- a/NEWS
+++ b/NEWS
@@ -4,7 +4,7 @@ Copyright (C) 1998-2008 by the Free Software Foundation, Inc.
 
 Here is a history of user visible changes to Mailman.
 
-2.1.11rc2 (23-Jun-2008)
+2.1.11 (30-Jun-2008)
 
   New Features
 
@@ -17,6 +17,14 @@ Here is a history of user visible changes to Mailman.
 
     - Prepended list name to bounce log unrecognized bounce messages.
 
+    - Added a new Defaults.py|mm_cfg.py setting ACCEPTABLE_LISTNAME_CHARACTERS
+      with default value '[-+_.=a-z0-9]'.  This Python regular expression
+      character class specifies the characters allowed in list names.  The
+      motivation for this is the fact that previously, a list named, e.g.,
+      xxx&yyy could be created and MTA aliases generated that would cause
+      The MTA to execute yyy as a command.  There is a possible security issue
+      here, but it is not believed to be exploitable in any meaningful way.
+
   Bug fixes and other patches
 
     - Changed the preservation of unparseable messages to be conditional on
-- 
cgit v1.2.3