GNU Mailman 2.1.26

Milestone information

GNU Mailman
Mark Sapiro
Release registered:
Yes. Drivers can target bugs and blueprints to this milestone.  

Download RDF metadata


Assigned to you:
No blueprints or bugs assigned to you.
7 Mark Sapiro
No blueprints are targeted to this milestone.
7 Fix Released

Download files for this release

After you've downloaded a file, you can verify its authenticity using its MD5 sum or signature. (How do I verify a download?)

File Description Downloads
download icon mailman-2.1.26.tgz (md5, sig) Mailman 2.1.26 release 1,275
last downloaded 14 weeks ago
Total downloads: 1,275

Release notes 

2.1.26 (04-Feb-2018)


    - An XSS vulnerability in the user options CGI could allow a crafted URL
      to execute arbitrary javascript in a user's browser. A related issue
      could expose information on a user's options page without requiring
      login. These are fixed. Thanks to Calum Hutton for the report.
      CVE-2018-5950 (LP: #1747209)

  New Features

    - Thanks to David Siebörger who adapted an existing patch by Andrea
      Veri to use Google reCAPTCHA v2 there is now the ability to add
      reCAPTCHA to the listinfo subscribe form. There are two new
      settings for RECAPTCHA_SITE_KEY and RECAPTCHA_SECRET_KEY, the values
      for which you obtain for your domain(s) from Google at

    - Thanks to Lindsay Haisley, there is a new bin/mailman-config command
      to display various information about this Mailman version and how it
      was configured.


    - The Japanese message catalog has been updated for added strings by
      Yasuhito FUTATSUKI.

    - The German translation of a couple of templates has been updated by
      Thomas Hochstein.

    - The Japanese translation of has been updated by
      Yasuhito FUTATSUKI.


View the full changelog

  Bug fixes and other patches

    - Fixed an i18n bug in the reCAPTCHA feature. (LP: #1746189)

    - Added a few more environment variables to the list of those passed
      to CGIs to support an nginx/uwsgi configuration. (LP #1744739)

    - Mailman 2.1.22 introduced a Python 2.7 dependency that could affect
      bin/arch processing a message without a valid Date: header. The
      dependency has been removed. (LP: #1740543)

    - Messages held for header_filter_rules now show the matched regexp in
      the hold reason. (LP: #1737371)

    - When updating the group and mode of a .db file with Mailman's Postfix
      integration, a missing file is ignored. (LP: #1734162)

    - The DELIVERY_RETRY_WAIT setting is now effective. (LP: #1729472)

0 blueprints and 7 bugs targeted

Bug report Importance Assignee Status
1747209 #1747209 XSS vulnerability and information leak in user options CGI 3 High Mark Sapiro  10 Fix Released
1737371 #1737371 Show which header_filter_rules regexp matched in the hold reason. 4 Medium Mark Sapiro  10 Fix Released
1746189 #1746189 wrong usage of _() in Mailman/Cgi/ 4 Medium Mark Sapiro  10 Fix Released
1729472 #1729472 The DELIVERY_RETRY_WAIT setting is ignored 5 Low Mark Sapiro  10 Fix Released
1734162 #1734162 OSError in Mailman/MTA/ when updating maps. 5 Low Mark Sapiro  10 Fix Released
1740543 #1740543 Mailman 2.1.22+ requires Python 2.7 5 Low Mark Sapiro  10 Fix Released
1744739 #1744739 2.1.25 login based pages not working with uwsgi 5 Low Mark Sapiro  10 Fix Released
This milestone contains Public information
Everyone can see this information.