GNU Mailman 2.1.27

Milestone information

GNU Mailman
Mark Sapiro
Release registered:
Yes. Drivers can target bugs and blueprints to this milestone.  

Download RDF metadata


Assigned to you:
No blueprints or bugs assigned to you.
12 Mark Sapiro
No blueprints are targeted to this milestone.
12 Fix Released

Download files for this release

After you've downloaded a file, you can verify its authenticity using its MD5 sum or signature. (How do I verify a download?)

File Description Downloads
download icon mailman-2.1.27.tgz (md5, sig) Mailman 2.1.27 release 387
last downloaded 20 weeks ago
Total downloads: 387

Release notes 

2.1.27 (22-Jun-2018)


    - Existing protections against malicious listowners injecting evil
      scripts into listinfo pages have had a few more checks added.

    - A few more error messages have had their values HTML escaped.

    - The hash generated when SUBSCRIBE_FORM_SECRET is set could have been
      the same as one generated at the same time for a different list and
      IP address. While this is not thought to be exploitable in any way,
      the generation has been changed to avoid this. Thanks to Ralf Jung.

  New Features

    - An option has been added to bin/add_members to issue invitations
      instead of immediately adding members. (LP: #1773064)

    - A new BLOCK_SPAMHAUS_LISTED_IP_SUBSCRIBE setting has been added to
      enable blocking web subscribes from IPv4 addresses listed in Spamhaus
      SBL, CSS or XBL. It will work with IPv6 addresses if Python's
      py2-ipaddress module is installed. The module can be installed via pip
      if not included in your Python.

    - Thanks to Jim Popovitch, Mailman has a new 'security' log and logs
      authentication failures to the various web CGI functions. The logged
      data include the remote IP and can be used to automate blocking of IPs
      with something like fail2ban. Since Mailman 2.1.14, these have returned
      an http 401 status and the information should be logged by the web
      server, but this new log makes that more convenient. Also, the
      'mischief' log entries for 'hostile listname' noe include the remote IP
      if available.

    - Thanks to Jim Popovitch, admin notices of (un)subscribes now may give
      the source of the action. This consists of a %(whence)s replacement
      that has been added to the admin(un)subscribeack.txt templates. Thanks
      to Yasuhito FUTATSUKI for updating the non-English templates and help
      with internationalizing the reasons.

    - Thanks to Jim Popovitch, there is a new
      BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE setting to enable blocking web
      subscribes for addresses in domains listed in the Spamhaus DBL.


    - The Japanese translation has been updated by Yasuhito FUTATSUKI.

    - The Russian translation has been updated by Danil Smirnov.

    - A partial Esperanto translation has been added. Thanks to
      Rubén Fernández Asensio.

    - Fixed a '# -*- coding:' line in the Russian message catalog that was
      mistakenly translated to Russian. (LP: #1777342)


    - Added to the contrib directory, a script from Jim Popovitch to generate
      Sitemap files for a list's archive.


View the full changelog

  Bug fixes and other patches

    - Some messages from bin/arch were not issued in the charset of the system
      locale when DISABLE_COMMAND_LOCALE_CSET is No. Thanks to Yasuhito
      FUTATSUKI this is now fixed. (LP: #1768892)

    - The message displayed in the browser when accessing a Mailman CGI when can't be imported due to some exception other than ImportError
      has been improved. (LP: #1760506)

    - The reimplementation of DELIVERY_RETRY_WAIT in 2.1.26 could cause extra
      dequeueing and requeueing in the out queue by OutgoingRunner. This is
      fixed. (LP: #1762871)

    - A Python 2.7 dependency introduced in the ToDigests handler in Mailman
      2.1.24 has been removed. (LP: #1755317)

    - Bad values in a list's topics will no longer break everything that
      might instantiate the list. (LP: #1754516)

    - A Python 2.7 dependency introduced with the reCAPTCHA feature in 2.1.26
      has been removed. (LP: #1752658)

    - The reCAPTCHA feature requires JavaScript. If JavaScript is not enabled,
      a message will be displayed on the subscribe form that JavaScript is
      required. (LP: #1769374)

    - Quoting in the mailman-config command has been changed from double to
      single quotes to allow double-quoted parameters. (LP: #1774986)

    - Approving a held subscription for a user with a 'different' preferred
      language no longer corrupts the results page. (LP: #1777222)

    - An issue with garbled descriptions on listinfo and admin overview pages
      and the heading of a list's listinfo page due to incompatible character
      sets has been fixed thanks to Yasuhito FUTATSUKI.

0 blueprints and 12 bugs targeted

Bug report Importance Assignee Status
1752658 #1752658 The reCAPTCHA implementation in Mailman 2.1.26 requires Python 2.7 3 High Mark Sapiro  10 Fix Released
1754516 #1754516 config_list can set invalid values and break lists. 3 High Mark Sapiro  10 Fix Released
1755317 #1755317 Python 2.7 dependency in Handlers/ 4 Medium Mark Sapiro  10 Fix Released
1762871 #1762871 Retries of temporary delivery failures can cause excessive activity in OutgoingRunner. 4 Medium Mark Sapiro  10 Fix Released
1769374 #1769374 The reCAPTCHA feature requires JavaScript 4 Medium Mark Sapiro  10 Fix Released
1773064 #1773064 bin/add_members needs an "invite" option. 4 Medium Mark Sapiro  10 Fix Released
1777222 #1777222 admindb uses wrong language in subscription approval result page body 4 Medium Mark Sapiro  10 Fix Released
1777342 #1777342 config_list: generated python encoding declaration is erroneously translated 4 Medium Mark Sapiro  10 Fix Released
1760506 #1760506 syntax error is handled ungracefully 5 Low Mark Sapiro  10 Fix Released
1768892 #1768892 bin/arch still reports messages in list language/charset 5 Low Mark Sapiro  10 Fix Released
1774986 #1774986 mailman-config incorrect quoting in print statement 5 Low Mark Sapiro  10 Fix Released
1775233 #1775233 Python 2.7 dependency in Utils.banned_ip() 5 Low Mark Sapiro  10 Fix Released
This milestone contains Public information
Everyone can see this information.