GNU Mailman 2.1.35

Milestone information

GNU Mailman
Mark Sapiro
Release registered:
Yes. Drivers can target bugs and blueprints to this milestone.  

Download RDF metadata


Assigned to you:
No blueprints or bugs assigned to you.
7 Mark Sapiro
No blueprints are targeted to this milestone.
8 Fix Released

Download files for this release

After you've downloaded a file, you can verify its authenticity using its MD5 sum or signature. (How do I verify a download?)

File Description Downloads
download icon mailman-2.1.35.tgz (md5, sig) Mailman 2.1.35 release. 339
last downloaded 2 weeks ago
Total downloads: 339

Release notes 

A security release with a few additional fixes. See the Changelog for details.


View the full changelog

2.1.35 (19-Oct-2021)


    - A potential for for a list member to carry out an off-line brute force
      attack to obtain the list admin password has been reported by Andre
      Protas, Richard Cloke and Andy Nuttall of Apple. This is fixed.
      CVE-2021-42096 (LP:#1947639)

    - A CSRF attack via the user options page could allow takeover of a users
      account. This is fixed. CVE-2021-42097 (LP:#1947640)

  Bug Fixes and other patches

    - Fixed an issue where sometimes the wrapper message for DMARC mitigation
      Wrap Message has no Subject:. (LP: #1915655)

    - Plain text message bodies with Content-Disposition: and no declared
      charset are no longer scrubbed. (LP: #1917968)

    - CommandRunner now recodes message bodies in the charset of the user's
      or list's language to avoid a possible UnicodeError when including the
      message body in the reply. (LP: #1921682)

    - Delivery disabled by bounce notices to admins now have 'disabled'
      properly translated. (LP: #1922843)

    - DMARC policy discovery ignores domains with multiple DMARC records per
      RFC 7849, (LP: 1931029)

0 blueprints and 8 bugs targeted

Bug report Importance Assignee Status
1915655 #1915655 DMARC Wrap Message doesn't include Subject: in the wrapper. 3 High Mark Sapiro  10 Fix Released
1895451 #1895451 Mailman 2.1 does not support dnspython >=2.0 4 Medium Mark Sapiro  10 Fix Released
1921682 #1921682 Japanese language prevents user from unsubscribing 4 Medium Mark Sapiro  10 Fix Released
1922843 #1922843 bounce action notice message never use the translation for 'disabled' 4 Medium Mark Sapiro  10 Fix Released
1947639 #1947639 Potential Privilege escalation via the user options page. 4 Medium Mark Sapiro  10 Fix Released
1947640 #1947640 Potential CSRF attack via the user options page. 4 Medium Mark Sapiro  10 Fix Released
1917968 #1917968 A text/plain message body is scrubbed with a .ksh extension 5 Low Mark Sapiro  10 Fix Released
1931029 #1931029 DMARC policy lookup violates RFC 7849. 5 Low   10 Fix Released
This milestone contains Public information
Everyone can see this information.