File mailman.changes of Package mailman.15639

-------------------------------------------------------------------
Wed Jul  1 14:55:31 UTC 2020 - Matej Cepl <mcepl@suse.com>

- (bsc#1173369 CVE-2020-15011) Add
  CVE-2020-15011_inject_private_login.patch avoiding a
  possibility of Arbitrary Content Injection via the private
  archive login page (upstream lp#1877379).

-------------------------------------------------------------------
Tue May 12 12:31:04 UTC 2020 - Matej Cepl <mcepl@suse.com>

- Add CVE-2020-12108_injection_options.patch fixing bsc#1171363
  (CVE-2020-12108)

-------------------------------------------------------------------
Mon May 11 20:36:45 UTC 2020 - Matej Cepl <mcepl@suse.com>

- Don't default to invalid hosts for DEFAULT_EMAIL_HOST
  (bsc#682920), adjust mailman-2.1.14-python.dif.

-------------------------------------------------------------------
Wed Apr 29 13:19:07 UTC 2020 - Matej Cepl <mcepl@suse.com>

- Fix rights and ownership on /var/lib/mailman/archives (bsc#1167068)

-------------------------------------------------------------------
Mon Apr 27 14:15:19 UTC 2020 - Matej Cepl <mcepl@suse.com>

- Add CVE-2020-12137-XSS-MIME_type-confusion.patch to fix
  bsc#1170558 (CVE-2020-12137)

-------------------------------------------------------------------
Fri Nov 15 17:13:08 CET 2019 - Matej Cepl <mcepl@suse.com>

- Don't use explicit chown and chmod in %post, but rather use
  %attr in files. Avoid bsc#1154328 (CVE-2019-3693)

-------------------------------------------------------------------
Mon Jan 28 16:09:26 UTC 2019 - Matěj Cepl <mcepl@suse.com>

- Correct syntax of the Apache configuration file (boo#1120345)

-------------------------------------------------------------------
Sat Jul 28 21:06:02 UTC 2018 - mcepl@suse.com

- bsc#1077358 CVE 2018-5950: XSS vulnerability and information leak in user options CGI
    A crafted URL for a user options page can cause a browser to
    execute arbitrary script encoded in the URL.
    Also, in developing a fix for this issue it was discovered
    that a user options URL with a VARHELP query fragment would
    display the user options page without requiring login. No
    changes could be made and the settings revealed are not
    particularly sensitive, but this could be used to fish for
    membership on a list with a private roster.
    Added mailman-2.1.15-CVE-2018-5950.patch which protects
    against this vulnerability.

-------------------------------------------------------------------
Sat Jul 28 08:42:32 UTC 2018 - mcepl@suse.com

- bsc#925502 CVE-2015-2775: directory traversal in MTA transports
    The recommended Mailman Transport for Exim invokes the Mailman mail wrapper
    with an unedited listname derived from the $local_part of the email address
    less any known suffix.
    The recommended Exim configiration does check that the
    lists/${lc::$local_part}/config.pck file does exist, but this check is also
    vulnerable to the path traversal attack.
    Added mailman-2.1.11-CVE-2015-2775.patch which protects against this
    vulnerability.


-------------------------------------------------------------------
Fri Jul 27 22:48:51 UTC 2018 - mcepl@suse.com

- bsc#1099510 CVE-2018-0618: Cross-site scripting vulnerability allows
  malicious listowners to inject scripts into listinfo pages
  Patches collected at https://bugzilla.redhat.com/1596458
  New patch added mailman-2.1.15-CVE-2018-0618.patch

-------------------------------------------------------------------
Fri Jul 27 21:58:34 UTC 2018 - mcepl@suse.com

- Fixing bsc#1101288 by new patch mailman-2.1.15-CVE-2018-13796.patch
    CVE-2018-13796: Arbitrary text injection vulnerability in Mailman CGIs
    https://bugs.launchpad.net/mailman/+bug/1780874

-------------------------------------------------------------------
Fri Jul 27 20:55:23 UTC 2018 - mcepl@suse.com

- For fixing BSC#995352 add upstream mailman-2.1.14-CVE-2016-6893.patch
  (originally from
  https://launchpadlibrarian.net/282221021/patch_CVE-2016-6893)
  for fixing CVE-2016-6893 ... CSRF protection needs to be extended to
  the user options page

-------------------------------------------------------------------
Fri Feb 14 18:47:44 UTC 2014 - jmatejek@suse.com

- rename README.SuSE
- update to 2.1.17
    * option to strip/keep non-standard headers in anonymous lists
    * option to make membership checks on mail-news gateway
    * UI improvements for admin interface
    * digest_size_threshold = 0 now means that *no* digest is sent
      based on size
    * option to CSRF-protect subscription form
    * admins can add members with mail delivery disabled
    * configurable name of master lock
    * updated translations
- updated list_lists patch because upstream list_lists now has
  an argument -p / --public-archive that does the same as SUSE-specific
  argument -u / --public-archives. Both spellings are supported
  and are synonymous.

-------------------------------------------------------------------
Tue Feb 11 10:44:52 UTC 2014 - dmueller@suse.com

- do not abort post script if postalias fails 

-------------------------------------------------------------------
Wed Oct 24 15:05:16 UTC 2012 - jmatejek@suse.com

- update to 2.1.15
    * fixes CVE-2011-0707 - patch dropped
    * better CSRF protection
    * better e-mail address validation
    * password reminder button
    * new config options
    * updated translations
- dropped mailman-python24 patch as we no longer care
  about python2.4
- replaced %run_permissions in spec

-------------------------------------------------------------------
Tue Oct  2 13:10:52 UTC 2012 - jmatejek@suse.com

- removed SuSEconfig dependency
  * SuSEconfig.mailman is moved to a new location, and works
    pretty much the same way as before. which may or may not
    be a good thing, perhaps this functionality should be
    removed completely

-------------------------------------------------------------------
Fri Mar  2 23:40:05 UTC 2012 - opensuse@cboltz.de

- add "su mailman mailman" to logrotate config (bnc#750259)

-------------------------------------------------------------------
Wed Apr 20 14:30:24 UTC 2011 - jmatejek@novell.com

- fixed bug where it is impossible to edit archives (updated
  patch 2.1.14-editarch.patch)

-------------------------------------------------------------------
Wed Feb 23 19:42:27 CET 2011 - matejcik@suse.cz

- fixed a XSS vulnerability in confirm.py (CVE-2011-0707, bnc#671745)

-------------------------------------------------------------------
Mon Nov 15 10:46:32 CET 2010 - dmueller@suse.de

- update to 2.1.14:
 - Two potential XSS vulnerabilities have been identified and fixed.
 - Various i18n updates
 - A new feature for controlling the addition/replacement of the Sender:
   header in outgoing mail has been implemented.  This allows a list owner
   to set include_sender_header on the list's General Options page in the
   admin GUI.  The default for this setting is Yes which preserves the prior
   behavior of removing any pre-existing Sender: and setting it to the
   list's -bounces address.  Setting this to No stops Mailman from adding or
   modifying the Sender: at all.
 - long list of bug fixes and enhancements, see included NEWS for details

-------------------------------------------------------------------
Tue Nov  3 19:09:30 UTC 2009 - coolo@novell.com

- updated patches to apply with fuzz=0

-------------------------------------------------------------------
Sun Nov 30 17:28:50 CET 2008 - rommel@suse.de

- the previous 'fix' of removing Mailman's own version of email was a bit crude
  and broke Mailman in several places (bug #448530)
  I replaced it with the upstream fix to 'configure' by Barry Warshaw
  (see http://bazaar.launchpad.net/~barry/mailman/py26/changes)

-------------------------------------------------------------------
Wed Nov 12 09:05:26 CET 2008 - rommel@suse.de

- added fix to work around md5/sha deprecation warning when hashlib is available
  (mailman-python-26-deprecation-md5-sha.diff)
- removed group writable bit from /usr/lib/mailman/Mailman/
- removing Mailman's own version of email when building against >= Python 2.6

-------------------------------------------------------------------
Tue Aug 26 16:43:00 CEST 2008 - rommel@suse.de

- version update to 2.1.11 (security fixes and small, but compatible enhancements)
- removed outdated (>4y) extra FAQ
- updated README.SuSE
- reworked (internally used) category patch + added referenced mm-text.png

-------------------------------------------------------------------
Fri Mar 30 01:43:38 CEST 2007 - ro@suse.de

- added pwdutils to buildreq 

-------------------------------------------------------------------
Fri Oct 20 18:32:59 CEST 2006 - lmuelle@suse.de

- ensure not to quote None if set in /etc/sysconfig/mailman:MAILMAN_MTA

-------------------------------------------------------------------
Thu Oct 12 16:00:21 CEST 2006 - rommel@suse.de

- upgrade to Mailman 2.1.9 which 
  + fixes some security issues (CVE-2006-2941, CVE-2006-3636, CVE-2006-2191)
  + adds support for languages "Arabic" and "Vietnamese"
  + makes the queue handling more robust
  + makes the handling of header/footers more robust 

-------------------------------------------------------------------
Fri Jun 23 10:30:01 CEST 2006 - poeml@suse.de

- add more info about adding "MAILMAN" to the apache server flags to 
  README.SuSE and /etc/apache2/conf.d/mailman.conf

-------------------------------------------------------------------
Fri Jun 16 11:24:59 CEST 2006 - rommel@suse.de

- update to version 2.1.8 which btw obsoletes these patches:
  mailman-2.1.4-mktime_overflowerror.patch
  mailman-2.1.4-cleanarch.patch
  mailman-2.1.7-patch-20060114.txt
- fixed an error in the comments of sysconfig.mailman
  (MAILMAN_SMTPPORT is relevant for MAILMAN_SMTPHOST, not MAILMAN_DEFAULT_EMAIL_HOST)

-------------------------------------------------------------------
Thu Mar 16 17:59:50 CET 2006 - rommel@suse.de

- applied a bugfix collection for Mailman 2.1.7 from
  http://sourceforge.net/tracker/index.php?func=detail&aid=1405790&group_id=103&atid=300103
- reworked the handling of the alias db file (using the %ghost tag)

-------------------------------------------------------------------
Wed Jan 25 21:38:09 CET 2006 - mls@suse.de

- converted neededforbuild to BuildRequires

-------------------------------------------------------------------
Mon Jan 23 14:19:04 CET 2006 - rommel@suse.de

- fixed cleanarch [bug #144675]
- reworked mailman-2.1.4-mktime_overflowerror.patch [bug #143390]
- removed python-xml from Requires: (was introduced by obsolete patch)

-------------------------------------------------------------------
Mon Jan  9 16:23:53 CET 2006 - rommel@suse.de

- update to version 2.1.7 (rediff of mailman-wrapper.patch,
  mailman-python24.patch, mailman-2.1.5-no_extra_asian.dif)

-------------------------------------------------------------------
Thu Aug 11 17:35:34 CEST 2005 - lnussel@suse.de

- fix permission handling (#66315)

-------------------------------------------------------------------
Tue Jul 12 18:38:53 CEST 2005 - rommel@suse.de

- fixed check_perms [bug #76172] 
- added support for logrotate [bug #94379]

-------------------------------------------------------------------
Sun Jul  3 01:24:55 CEST 2005 - dmueller@suse.de

- update to Mailman 2.1.6, rediff and remove patches
  which are already included upstream 

-------------------------------------------------------------------
Wed Jun 15 13:48:26 CEST 2005 - meissner@suse.de

- use RPM_OPT_FLAGS and PIE support for C binaries (CGI bins mostly)

-------------------------------------------------------------------
Wed Feb 16 16:35:39 CET 2005 - rommel@suse.de

- added mailman-2.1.5-dirtraversal.patch [bug #50563, CAN-2005-0202] 

-------------------------------------------------------------------
Mon Feb 14 02:28:58 CET 2005 - ro@suse.de

- should not need explicit importing of japanese and korean
  any more with current python, remove it 

-------------------------------------------------------------------
Thu Feb 10 02:23:02 CET 2005 - ro@suse.de

- remove python-korean and python-japanese (pkgs dropped) 

-------------------------------------------------------------------
Mon Feb  7 11:24:37 CET 2005 - rommel@suse.de

- added python-xml to requires [bug #50100]
- fixed permissions on default error log file [bug #48208]
- fixed possible data loss situation while updating [bug #48209]

-------------------------------------------------------------------
Sat Jan 15 21:14:31 CET 2005 - schwab@suse.de

- Use <owner>:<group> in permissions file.

-------------------------------------------------------------------
Fri Jan 14 14:22:37 CET 2005 - rommel@suse.de

- added hints in README.SuSE on how to activate the web interface [bug #43292]
- added documentation tree from admin/www and debian's man pages [bug #37394]
- added sysconfig support for SMTPPORT [bug #49551]

-------------------------------------------------------------------
Wed Jan 12 14:47:18 CET 2005 - rommel@suse.de

- added mailman-weak-password.diff [bug #49468, CAN-2004-1144]
- added mailman-CAN-2004-1177.patch [bug #49468, CAN-2004-1177]
- added mailman-2.1.4-avoid-headerfolding-python21.diff [bug #45355] 
- reworked undistributable mailman patch (archive fallback path)

-------------------------------------------------------------------
Wed Dec 15 17:03:15 CET 2004 - ro@suse.de

- another permissions fix 

-------------------------------------------------------------------
Fri Dec  3 16:13:53 CET 2004 - ro@suse.de

- package according to permissions 

-------------------------------------------------------------------
Wed Nov 10 19:29:54 CET 2004 - rommel@suse.de

- reworked start script (bug #42652) 

-------------------------------------------------------------------
Thu Sep 16 23:13:07 CEST 2004 - mmj@suse.de

- Include latest and greatest FAQ [#38461]

-------------------------------------------------------------------
Thu Sep  2 09:54:38 CEST 2004 - mmj@suse.de

- Remove mail to root telling him to RTFM [#44365]

-------------------------------------------------------------------
Mon Aug 30 15:42:37 CEST 2004 - ro@suse.de

- remove apache1 traces

-------------------------------------------------------------------
Sat Aug  7 16:05:34 CEST 2004 - rommel@suse.de

- update to version 2.1.5
- fix of start script (bug #42652)

-------------------------------------------------------------------
Tue Jun 22 01:08:43 CEST 2004 - ro@suse.de

- fix filelist 

-------------------------------------------------------------------
Sun Jun 20 13:49:22 CEST 2004 - rommel@suse.de

- relocating mm_cfg.py doesn't work, switched back to old behauviour (won't fix
  bug #41344)
- re-generating aliases in %post section (important for update)

-------------------------------------------------------------------
Thu Jun  3 12:38:32 CEST 2004 - rommel@suse.de

- fixed bug introduced by relocation of config files (bug #41344)
- updating mailing list aliases on install or update (important for
  autogenerated aliases)
- updated README.SuSE to reflect recent changes

-------------------------------------------------------------------
Fri May  7 18:18:21 CEST 2004 - rommel@suse.de

- new configuration directory /etc/mailman
- moved mm_cfg.py to /etc/mailman (bug #38868)
- precompiled stuff in /usr/lib/mailman/bin (bug #38868)
- added support for https per default (bug #38460)
- added patch agains overflow in ArchRunner
  (Request ID 938301 on http://sourceforge.net/projects/mailman/)
- added glue patch for Scrubber
  (Request ID 891491 on http://sourceforge.net/projects/mailman/)

-------------------------------------------------------------------
Thu Mar 25 17:53:35 CET 2004 - rommel@suse.de

- added python-japanese and python-korean to Prereq (bug #36214)

-------------------------------------------------------------------
Wed Mar  3 18:20:03 CET 2004 - rommel@suse.de

- fixed traceback in options page (bug #35267)
- fixed german messages file (bug #35109)

-------------------------------------------------------------------
Wed Feb 18 17:27:08 CET 2004 - rommel@suse.de

- fixed some bugs concerning the wrapper gid files
  (/etc/mailman.*-gid) (see bugs #34614 #34382)

-------------------------------------------------------------------
Thu Feb 12 21:06:51 CET 2004 - rommel@suse.de

- removing stale lockfiles on start (bug #34016)
- fixed a typo in SuSEconfig.mailman (bug #34015)
- fixed Defaults.py to work around upgrade problem (bug #33793)
- fixed permissions in /usr/lib/mailman (bug #33792)
- added support for virtual hosts through SuSEconfig.mailman (feature request)
- added a hint to crontab where the master crontab is (feature request)
- added a patch for more options to list_lists (feature request)
- fixed a permission problem caused by editarch

-------------------------------------------------------------------
Thu Jan 15 19:06:33 CET 2004 - rommel@suse.de

- upgrade to version 2.1.4 (includes fix for latest XSS vulnerability)
- added link for better Sendmail interoperability
- added "--with-python-lib" to configure to work around hard coded /usr/lib
  manifestations

-------------------------------------------------------------------
Tue Dec 16 15:30:49 CET 2003 - rommel@suse.de

- added fix against XSS vulnerability (bug #32187)
- avoiding copies of mailman icons in /srv/www/icon;
  using the IMAGE_LOGOS config switch and an apache/apache2 config instead
  (bug #32496)
- added missing contrib directory to /usr/share/doc/packages/mailman/
- changed ownership of /var/lib/mailman to 2755 so pam ssh doesn't complain 

-------------------------------------------------------------------
Tue Nov 25 11:53:14 CET 2003 - rommel@suse.de

- added missing calls "stop" on uninstall and "try-restart" on update (bug #29047)
- added w3m as requirement (bug #32706)
- not marking mm_cfg.pyc as config (bug #32851)
- added apache2 config (bug #33187)

-------------------------------------------------------------------
Sat Nov  1 16:21:02 CET 2003 - adrian@suse.de

- update to version 2.1.3

-------------------------------------------------------------------
Thu Aug 21 22:40:50 CEST 2003 - mmj@suse.de

- The fix below from mcihar@suse.cz was a little to rough, since
  mailman broke without it's own copy of email. So include email
  in the installation, but keep korean and japanese disabled.

-------------------------------------------------------------------
Thu Aug 14 17:30:57 CEST 2003 - rommel@suse.de

- added activation metadata in sysconfig templates

-------------------------------------------------------------------
Mon Aug 11 17:18:48 CEST 2003 - mcihar@suse.cz

- don't include in mailman package python modules we also ship (korean,
  japanese, email)
- notify user about running 'SuSEconfig --module mailman' if not in YaST

-------------------------------------------------------------------
Mon Aug 11 15:04:57 CEST 2003 - rommel@suse.de

- bug-fix update to version 2.1.2
- removed now-obsolete mailman-destdir.patch
- linkage of /etc/aliases.d/mailman to /var/lib/mailman/data/aliases
  has been dropped (unmaintainable)
- fixed mailmanctl to not freeze YaST2 [Bug #26990]
- fixed mail gid auto detection in SuSEconfig.mailman [Bug #27369]
- fixed Defaults.py to not reference build host [Bug #26988]

-------------------------------------------------------------------
Tue Aug  5 18:36:57 CEST 2003 - ro@suse.de

- don't leave buildroot traces in installed files 

-------------------------------------------------------------------
Fri Jun 13 11:59:33 CEST 2003 - kukuk@suse.de

- Fix filelist

-------------------------------------------------------------------
Mon May 12 15:13:04 CEST 2003 - rommel@suse.de

- added DISTRIBUTABLE to be able to build the version used interally

-------------------------------------------------------------------
Mon Mar 17 17:47:05 CET 2003 - kukuk@suse.de

- Don't enable mailman per default, does not work without correct
  configuration

-------------------------------------------------------------------
Mon Mar 10 11:33:51 CET 2003 - rommel@suse.de

- test for presence of /usr/sbin/postalias (reported by Eberhard Moenkeberg)
- added RPM Summary [Bug #24810]
- added Description to rcmailman (shows in runlevel editor)

-------------------------------------------------------------------
Thu Mar  6 17:49:16 CET 2003 - kukuk@suse.de

- Add openssl PreRequires [Bug #24785]

-------------------------------------------------------------------
Mon Feb 10 14:40:14 CET 2003 - rommel@suse.de

- update to version 2.1.1 which obsoletes both mailman-xss.patch and
  mailman-syncmember.patch and fixes the rmlist bug
- added the config attribute to the alias file generated by mailman
  so it does not get lost on package removal
- added MAILMAN_LINK_ALIASES variable to the sysconfig stuff so one
  can create links in /etc/aliases.d that point to
  /var/lib/mailman/data/aliases* independent on the value of MAILMAN_MTA 

-------------------------------------------------------------------
Sat Feb  1 16:33:28 CET 2003 - rommel@suse.de

- fixed the start script to not freeze the runlevel editor on service start
- added metadata to sysconfig.apache-mailman

-------------------------------------------------------------------
Thu Jan 30 17:33:27 CET 2003 - rommel@suse.de

- added missing metadata to sysconfig file
- added official patch against cross-site-scripting (XSS) vulnerability

-------------------------------------------------------------------
Wed Jan 29 17:04:02 CET 2003 - rommel@suse.de

- update to version 2.1
- new start script
- new README.SuSE
- added SuSEconfig script that generates the wrapper gid files
  (/etc/mailman.*-gid) and provides an easy way to generate mm_cfg.py
  (Mailman's site configuration file)    

-------------------------------------------------------------------
Tue Sep 17 17:34:28 CEST 2002 - ro@suse.de

- removed bogus self-provides 

-------------------------------------------------------------------
Fri Aug 30 11:03:44 CEST 2002 - vinil@suse.cz

- enhanced PreRequires
- fixed default hostname in SuSEconfig (bug #17696)
- defaults set for Postfix MTA (Sendmail made optional)

-------------------------------------------------------------------
Mon Aug 12 14:37:59 CEST 2002 - vinil@suse.de

- new version: 2.0.13

-------------------------------------------------------------------
Fri Aug  2 11:09:46 CEST 2002 - ro@suse.de

- adapted server root 

-------------------------------------------------------------------
Thu Jul 11 15:07:19 CEST 2002 - vinil@suse.cz

- new version: 2.0.12
- own user and group 'mailman'
- use /etc/aliases.d/mailman instead of /etc/aliases
- paragraph about creating ML added into README.SuSE

-------------------------------------------------------------------
Mon Jun  3 14:39:36 CEST 2002 - ro@suse.de

- fix build on lib64 
- added openssl to neededforbuild

-------------------------------------------------------------------
Thu Jan 31 11:35:06 CET 2002 - vinil@suse.cz

- README.SuSE typo fixed

-------------------------------------------------------------------
Thu Jan 24 15:21:45 CET 2002 - vinil@suse.cz

- add rcscript, that moves crontab entry in /etc/cron.d/ and out

-------------------------------------------------------------------
Thu Jan 17 00:54:43 CET 2002 - ro@suse.de

- adapted for /etc/sysconfig/apache 

-------------------------------------------------------------------
Wed Jan 16 11:41:30 CET 2002 - vinil@suse.cz

- installation is able to handle old /var/spool/mailman, now
- /var/lib/mailman/Mailman/mm_cfg.py* is %config(noreplace)

-------------------------------------------------------------------
Tue Dec 11 13:28:32 CET 2001 - vinil@suse.cz

- update to 2.0.8
- web frontend prepared for apache
- patch for configuratable cgi-gid and mail-gid
- taking care about /etc/aliases now

-------------------------------------------------------------------
Sun Aug 19 20:47:27 CEST 2001 - iboernig@suse.de

- update to new stable version 2.0.6 

-------------------------------------------------------------------
Sun Aug 19 20:13:03 CEST 2001 - iboernig@suse.de

- fixed bug in specfile (Bug #9519) Apache GID is now nogroup again. 

Wed Apr 25 16:17:13 CEST 2001 - iboernig@suse.de

- changed mailgid to "daemon". It should work now with sendmail. 
  Postfix users have to change default_privs 

-------------------------------------------------------------------
Fri Mar 16 14:51:15 CET 2001 - iboernig@suse.de

- updated to version 2.0.3, includes minor security fix

-------------------------------------------------------------------
Fri Jan  5 10:55:21 CET 2001 - iboernig@suse.de

- bugfix: move crontab entry to /etc/cron.d/mailman
- notify user in %post-section
- created README.SuSE

-------------------------------------------------------------------
Thu Dec 28 11:57:36 CET 2000 - choeger@suse.de

- bugfix: --prefix=$RPM_BUILD_ROOT does NOT work, because then
          /var/tmp/mailman-* would be compiled into some .c files
          changed Makefiles to allow DESTDIR=/path
- create crontab entries in postinstall
- use gid of nogroup also for mail-wrapper

-------------------------------------------------------------------
Thu Nov 30 10:59:18 CET 2000 - iboernig@suse.de

- changed default user.group to mdom.mdom

-------------------------------------------------------------------
Wed Nov 29 19:34:22 CET 2000 - iboernig@suse.de

- initial version
openSUSE Build Service is sponsored by