From 90bd87b9c89bbb4c481405f34cce985b94ca8c80 Mon Sep 17 00:00:00 2001
From: tkikuchi <>
Date: Tue, 6 Dec 2005 00:43:13 +0000
Subject: Add Security notes in NEWS.

---
 NEWS | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

(limited to 'NEWS')

diff --git a/NEWS b/NEWS
index 62eb08fe..fec139fc 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,27 @@ Here is a history of user visible changes to Mailman.
 
 2.1.7 (XX-XXX-200X)
 
+  Security
+
+    - A note on CVE-2005-3573: Although the RFC2231 bug example in the
+      CVE has been solved in mailman-2.1.6, there may be more cases
+      where ToDigest.send_digests() can block regular delivery.
+      We put the send_digests() calling part in try - except clause and
+      leave a message in the error log if something happened in
+      send_digests().  Daily call of cron/senddigests will notify more
+      detail to the site administrator.
+
+    - List administrators can no longer change the user's option/subscription
+      globally.  Site admin can change these only if
+      mm_cfg.ALLOW_SITE_ADMIN_COOKIES is set to Yes.
+
+    - Script tag is disallowd in edithtml script.
+
+    - Since probe message for the disabled users may reach unexpected
+      persons, the password was excluded from sendProbe() and probe.txt.
+      Note that the default value of VERP_PROBE has been set to `No'
+      from 2.1.6., thus this change doesn't change the default behavior.
+
   New Features
 
     - Always remove DomainKey (and similar) headers (1287546) from messages
-- 
cgit v1.2.3