Fedora Core
Fedora Update Notification
FEDORA-2005-241
2005-03-22
Product : Fedora Core 2
Name : mailman
Version : 2.1.5
Release : 10.fc2
Summary : Mailing list manager with built in Web access.
Description :
Mailman is software to help manage email discussion lists, much
like Majordomo and Smartmail. Unlike most similar products, Mailman
gives each mailing list a webpage, and allows users to subscribe,
unsubscribe, etc. over the Web. Even the list manager can
administer his or her list entirely from the Web. Mailman also
integrates most things people want to do with mailing lists,
including archiving, mail <-> news gateways, and so on.
Documentation can be found in: /usr/share/doc/mailman-2.1.5
When the package has finished installing, you will need to
perform some additional installation steps, these are described in:
/usr/share/doc/mailman-2.1.5/INSTALL.REDHAT
Update Information:
A cross-site scripting (XSS) flaw in the driver script of
mailman prior to version 2.1.5 could allow remote attackers to
execute scripts as other web users. The Common Vulnerabilities and
Exposures project (cve.mitre.org/) has assigned the name
CAN-2004-1177 to this issue.
Users of mailman should update to this erratum package, which
corrects this issue by turning on STEALTH_MODE by default and using
Utils.websafe() to quote the html.
- Mon Mar 21 2005 John Dennis <jdennis@redhat.com> –
3:2.1.5-10.fc2
- fix bug #147833, CAN-2004-1177
- Mon Feb 14 2005 John Dennis <jdennis@redhat.com> –
3:2.1.5-9.fc2
- fix bug #147856, moderator -1 admin requests pending
- Tue Feb 8 2005 John Dennis <jdennis@redhat.com> –
3:2.1.5-8.fc2
- fix security vulnerability CAN-2005-0202, errata RHSA-2005:136,
bug #147343
- Wed Jun 9 2004 John Dennis <jdennis@redhat.com> –
3:2.1.5-6
- fix bug in pre scriplet, last command had been “service mailman
stop”
- bump rev for rebuild which should have been harmless if mailman
was not installed except that it left the exit status from the
script as non-zero and rpm aborted the install.
- Wed Jun 9 2004 John Dennis <jdennis@redhat.com> –
3:2.1.5-5
- add status reporting to init.d control script
stop mailman during an installation
restart mailman if it had been running prior to installation
- Mon Jun 7 2004 John Dennis <jdennis@redhat.com> –
3:2.1.5-4
- back python prereq down to 2.2, should be sufficient
- Thu May 20 2004 John Dennis <jdennis@redhat.com>
3:2.1.5-3
- make python prereq be at least 2.3
- Tue May 18 2004 Jeremy Katz <katzj@redhat.com> 3:2.1.5-2
- Mon May 17 2004 John Dennis <jdennis@redhat.com>
3:2.1.5-1
- bring up to latest 2.1.5 upstream release From Barry Warsaw:
Mailman 2.1.5, a bug fix release that also contains new support for
the Turkish language, and a few minor new features. Mailman 2.1.5
is a significant upgrade which should improve disk i/o performance,
administrative overhead for discarding held spams, and the behavior
of bouncing member disables. This version also contains a fix for
an exploit that could allow 3rd parties to retrieve member
passwords. It is thus highly recommended that all existing
sitesupgrade to the latest version
- Tue May 4 2004 Warren Togami <wtogami@redhat.com>
3:2.1.4-4
- #105638 fix bytecompile and rpm -V
- postun /etc/postfix/aliases fix
- clean uninstall (no more empty dirs)
- #115378 RedirectMatch syntax fix
- Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
- Fri Jan 9 2004 John Dennis
<jdennis@finch.boston.redhat.com> 3:2.1.4-1
- upgrade to new upstream release 2.1.4
- fixes bugs 106349,112851,105367,91463
- Wed Jun 4 2003 Elliot Lee <sopwith@redhat.com>
- Wed May 7 2003 John Dennis
<jdennis@finch.boston.redhat.com>
- bring up to next upstream release 2.1.2
- Sun May 4 2003 Florian La Roche
<Florian.LaRoche@redhat.de>
- fix typo in post script: mmusr -> mmuser
- Thu Apr 24 2003 John Dennis
<jdennis@finch.boston.redhat.com>
- fix bug 72004, 74483, 74484, 87856 – improper log rotation
- fix bug 88083 – mailman user/group needed to exist during
build
- fix bug 88144 – wrong %file attributes on mm_cfg.py
- fix bug 89221 – mailman user not created on install
- fix bug 89250 – wrong pid file name in initscript
- Wed Mar 5 2003 Florian La Roche
<Florian.LaRoche@redhat.de>
- change to /etc/rc.d/init.d as in all other rpms
- Thu Feb 20 2003 John Dennis
<jdennis@finch.boston.redhat.com>
- change mailman login shell from /bin/false to
/sbin/nologin
- Fri Feb 14 2003 John Dennis
<jdennis@finch.boston.redhat.com>
- bring package up to 2.1.1 release, add /usr/share/doc
files
- Sat Feb 1 2003 Florian La Roche
<Florian.LaRoche@redhat.de>
- make the icon dir owned by root:root as in other rpms
- Fri Jan 31 2003 John Dennis
<jdennis@finch.boston.redhat.com>
- various small tweaks to the spec file to make installation
cleaner
- use /usr/bin/python when compiling, redirect compile output to
/dev/null,
- don’t run update in %post, let the user do it, remove the .pyc
files in %postun,
- add setting of MAILHOST and URLHOST to localhost.localdomain,
don’t let
- configure set them to the build machine.
- Mon Jan 27 2003 John Dennis
<jdennis@finch.boston.redhat.com>
- add the cross site scripting (xss) security patch to version
2.1
- Fri Jan 24 2003 John Dennis
<jdennis@finch.boston.redhat.com>
- do not start mailman service in %post
- Wed Jan 22 2003 Tim Powers <timp@redhat.com>
- Mon Jan 20 2003 John Dennis
<jdennis@finch.boston.redhat.com>
- 1) remove config patch, mailmanctl was not the right file to
install in init.d,
- it needed to be scripts/mailman
- 2) rename httpd-mailman.conf to mailman.conf, since the file
now lives
- in httpd/conf.d directory the http prefix is redundant and
inconsistent
- with the other file names in that directory.
- Tue Jan 7 2003 John Dennis
<jdennis@finch.boston.redhat.com>
- Bring package up to date with current upstream source, 2.1
- Fix several install/packaging problems that were in upstream
source
- Add multiple mail group functionality
- Fix syntax error in fblast.py
- Remove the forced setting of mail host and url host in
mm_cfg.py
- Tue Nov 12 2002 Tim Powers <timp@redhat.com> 2.0.13-4
- remove files from $$RPM_BUILD_ROOT that we don’t intent to
ship
- Wed Aug 14 2002 Nalin Dahyabhai <nalin@redhat.com>
2.0.13-3
- set MAILHOST and WWWHOST in case the configure script can’t
figure out the local host name
- Fri Aug 2 2002 Nalin Dahyabhai <nalin@redhat.com>
2.0.13-2
- Fri Aug 2 2002 Nalin Dahyabhai <nalin@redhat.com>
2.0.13-1
- specify log files individually, per faq wizard
- update to 2.0.13
- Wed May 22 2002 Nalin Dahyabhai <nalin@redhat.com>
2.0.11-1
- Fri Apr 5 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.9-1
- include README.QMAIL in with the docs (#58887)
- include README.SENDMAIL and README.EXIM in with the docs
- use an included httpd.conf file instead of listing the
configuration directives in the %description, which due to specspo
magic might look wrong sometimes (part of #51324)
- interpolate the DEFAULT_HOST_NAME value in mm.cfg into both the
DEFAULT_URL and MAILMAN_OWNER (#57987)
- move logs to /var/log/mailman, qfiles to /var/spool/mailman,
rotate logs in the log directory (#48724)
- raise exceptions when someone tries to set the admin address
for a list to that of the admin alias (#61468)
- Thu Apr 4 2002 Nalin Dahyabhai <nalin@redhat.com>
- fix a default permissions problem in
/var/mailman/archives/private, reported by Johannes Erdfelt
- update to 2.0.9
- Tue Apr 2 2002 Nalin Dahyabhai <nalin@redhat.com>
- make the symlink in /etc/smrsh relative
- Tue Dec 11 2001 Nalin Dahyabhai <nalin@redhat.com>
2.0.8-1
- set FQDN and URL at build-time so that they won’t be set to the
host the RPM package is built on (#59177)
- Wed Nov 28 2001 Nalin Dahyabhai <nalin@redhat.com>
- Sat Nov 17 2001 Florian La Roche
<Florian.LaRoche@redhat.de> 2.0.7-1
- Wed Jul 25 2001 Nalin Dahyabhai <nalin@redhat.com>
2.0.6-1
- Mon Jun 25 2001 Nalin Dahyabhai <nalin@redhat.com>
- code in default user/group names/IDs
- Wed May 30 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to 2.0.5
- change the default hostname from localhost to
localhost.localdomain in the default configuration
- chuck configuration file settings other than those dependent on
the host name (the build system’s host name is not a good default)
(#32337)
- Tue Mar 13 2001 Nalin Dahyabhai <nalin@redhat.com>
- Tue Mar 6 2001 Nalin Dahyabhai <nalin@redhat.com>
- Wed Feb 21 2001 Nalin Dahyabhai <nalin@redhat.com>
- patch from Barry Warsaw (via mailman-developers) to not die on
broken Content-Type: headers
- Tue Jan 9 2001 Nalin Dahyabhai <nalin@redhat.com>
- Wed Dec 6 2000 Nalin Dahyabhai <nalin@redhat.com>
- update to 2.0 final release
- move the data to /var
- Fri Oct 20 2000 Nalin Dahyabhai <nalin@redhat.com>
- Thu Aug 3 2000 Nalin Dahyabhai <nalin@redhat.com>
- add note about adding FollowSymlinks so that archives work
- Wed Aug 2 2000 Nalin Dahyabhai <nalin@redhat.com>
- make the default owner root again so that root owns the
docs
- update to 2.0beta5, which fixes a possible security
vulnerability
- add smrsh symlink
- Mon Jul 24 2000 Prospector <prospector@redhat.com>
- Wed Jul 19 2000 Nalin Dahyabhai <nalin@redhat.com>
- update to beta4
- change uid/gid to apache.apache to match apache (#13593)
- properly recompile byte-compiled versions of the scripts
(#13619)
- change mailman alias from root to postmaster
- Sat Jul 1 2000 Nalin Dahyabhai <nalin@redhat.com>
- update to beta3
- drop bugs and arch patches (integrated into beta3)
- Tue Jun 27 2000 Nalin Dahyabhai <nalin@redhat.com>
- move web files to reside under /var/www
- move files from /usr/share to /usr/share
- integrate spot-fixes from mailman lists via gnome.org
- Mon Jun 19 2000 Nalin Dahyabhai <nalin@redhat.com>
- Tue May 23 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update to 2.0beta2 to pick up security fixes.
- Change equires python to list >= 1.5.2
- Mon Nov 8 1999 Bernhard Rosenkranzer <bero@redhat.com>
- Tue Sep 14 1999 Preston Brown <pbrown@redhat.com>
- Tue Jun 15 1999 Preston Brown <pbrown@redhat.com>
- security fix for cookies
- moved to /usr/share/mailman
- Fri May 28 1999 Preston Brown <pbrown@redhat.com>
- Fri May 7 1999 Preston Brown <pbrown@redhat.com>
- modifications to install scripts
- Thu May 6 1999 Preston Brown <pbrown@redhat.com>
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
898fb9a008e82e26614d157bc6178244
SRPMS/mailman-2.1.5-10.fc2.src.rpm
69e2626ff50b3a1c71ef758a3724a5bb
x86_64/mailman-2.1.5-10.fc2.x86_64.rpm
9aa5111f6bd88033bebfc67d329b7679
x86_64/debug/mailman-debuginfo-2.1.5-10.fc2.x86_64.rpm
2bb2085fd024b45215d43d0c17dc05f4
i386/mailman-2.1.5-10.fc2.i386.rpm
088c601b4fd076b933128a398810f7b7
i386/debug/mailman-debuginfo-2.1.5-10.fc2.i386.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the ‘up2date’ command.
—
John Dennis <jdennis@redhat.com>
Fedora Update Notification
FEDORA-2005-242
2005-03-22
Product : Fedora Core 3
Name : mailman
Version : 2.1.5
Release : 32.fc3
Summary : Mailing list manager with built in Web access.
Description :
Mailman is software to help manage email discussion lists, much
like Majordomo and Smartmail. Unlike most similar products, Mailman
gives each mailing list a webpage, and allows users to subscribe,
unsubscribe, etc. over the Web. Even the list manager can
administer his or her list entirely from the Web. Mailman also
integrates most things people want to do with mailing lists,
including archiving, mail <-> news gateways, and so on.
Documentation can be found in: /usr/share/doc/mailman-2.1.5
When the package has finished installing, you will need to
perform some additional installation steps, these are described in:
/usr/share/doc/mailman-2.1.5/INSTALL.REDHAT
Update Information:
A cross-site scripting (XSS) flaw in the driver script of
mailman prior to version 2.1.5 could allow remote attackers to
execute scripts as other web users. The Common Vulnerabilities and
Exposures project (cve.mitre.org/) has assigned the name
CAN-2004-1177 to this issue.
Users of mailman should update to this erratum package, which
corrects this issue by turning on STEALTH_MODE by default and using
Utils.websafe() to quote the html.
In addition this version of the rpm includes a utility script in
/usr/share/doc/mailman-*/contrib/migrate-fhs that can be run if the
user has installed an FC3 or FC4 mailman rpm over an older non-FHS
compliant mailman installation. The script will aid in moving the
file locations from the old directory structure to the new FHS
mailman directory structure that are present in FC3, FC4, and
RHEL4. Users who have installed mailman originally from FC3, FC4 or
RHEL4 will not need to migration any file locations.
- Wed Mar 2 2005 John Dennis <jdennis@redhat.com> –
3:2.1.5-32.fc3
- fix bug #150065, provide migration script for new FHS
installation
- fix bug #147833, CAN-2004-1177
- Mon Feb 14 2005 John Dennis <jdennis@redhat.com> –
3:2.1.5-31.fc3
- fix bug #132750, add daemon to mail-gid so courier mail server
will work.
- fix bug #143008, wrong location of mailmanctl in logrotate
- fix bug #142605, init script doesn’t use /var/lock/subsys
- Tue Feb 8 2005 John Dennis <jdennis@redhat.com> –
3:2.1.5-30.fc3
- fix security vulnerability CAN-2005-0202, errata RHSA-2005:137,
bug #147343
- Tue Nov 9 2004 John Dennis <jdennis@redhat.com>
3:2.1.5-29.fc3
- fix bug #137863, buildroot path in .pyc files
- Mon Nov 8 2004 John Dennis <jdennis@redhat.com>
3:2.1.5-27
- rebuild to fix bug #137863, python embeds build root in .pyc
files
- Sat Oct 16 2004 John Dennis <jdennis@redhat.com>
3:2.1.5-26
- fix typo in install documentation
- fix error in templates/Makefile.in, bad install args, fixes bug
#136001, thank you to Kaj J. Niemi for spotting this.
- Thu Oct 14 2004 John Dennis <jdennis@redhat.com>
3:2.1.5-24
- more FHS changes, matches with new SELinux security policy
- Wed Sep 29 2004 John Dennis <jdennis@redhat.com>
3:2.1.5-21
- move list data dir to /var/lib/mailman to conform to FHS move
lock dir to /var/lock/mailman to conform to FHS move config dir
(VAR_PREFIX/data) to /etc/mailman to conform to FHS Thanks to Matt
Domsch for pointing this out.
- Tue Sep 28 2004 John Dennis <jdennis@redhat.com>
3:2.1.5-20
- fix bug #132732, security policy violations,
- bump release verison move non-data installation files from
/var/mailman to /usr/lib/mailman, update documentation
- Fri Sep 10 2004 John Dennis <jdennis@redhat.com>
3:2.1.5-19
- add il18n start/stop strings to init.d script
- Fri Sep 10 2004 John Dennis <jdennis@redhat.com>
3:2.1.5-18
- fix bug #89250, add condrestart also fix status return values
in mailmanctl and init.d script
- Tue Sep 7 2004 John Dennis <jdennis@redhat.com>
3:2.1.5-17
- fix bug #120930, add contents of contrib to doc area
- Tue Sep 7 2004 John Dennis <jdennis@redhat.com>
3:2.1.5-16
- fix bug #121220, httpd config file tweaks add doc to
INSTALL.REDHAT for selecting MTA
- Fri Sep 3 2004 John Dennis <jdennis@redhat.com>
3:2.1.5-15
- fix bug #117615, don’t overwrite user modified templates on
install made template directory “config noreplace”
- Thu Sep 2 2004 John Dennis <jdennis@redhat.com>
3:2.1.5-14
- add comments into the crontab files so users know the
/etc/cron.d file is volitile and will edit the right file. Also
make the master crontab file “config noreplace” so edits are
preserved.
- Wed Sep 1 2004 John Dennis <jdennis@redhat.com>
3:2.1.5-13
- fix bug #124208, enable mailman cron jobs from init.d rather
than during installation
- Tue Aug 31 2004 John Dennis <jdennis@redhat.com>
3:2.1.5-12
- fix bug #129920, cron jobs execute under wrong SELinux
policy
- Mon Aug 30 2004 John Dennis <jdennis@redhat.com>
3:2.1.5-11
- remove all editing of aliases file in %pre and %post, fixes
#bug 125651
- Mon Aug 9 2004 John Dennis <jdennis@redhat.com>
3:2.1.5-10
- fix bug #129492 and bug #120912 stop using crontab to setup
mailman’s cron jobs, instead install cron script in
/etc/cron.d
- Mon Aug 9 2004 John Dennis <jdennis@redhat.com> 3:2.1.5-9
- Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
- Wed Jun 9 2004 John Dennis <jdennis@redhat.com> –
3:2.1.5-7
- Wed Jun 9 2004 John Dennis <jdennis@redhat.com> –
3:2.1.5-6
- fix bug in pre scriplet, last command had been “service mailman
stop” which should have been harmless if mailman was not installed
except that it left the exit status from the script as non-zero and
rpm aborted the install.
- Wed Jun 9 2004 John Dennis <jdennis@redhat.com> –
3:2.1.5-5
- add status reporting to init.d control script stop mailman
during an installation restart mailman if it had been running prior
to installation
- Mon Jun 7 2004 John Dennis <jdennis@redhat.com> –
3:2.1.5-4
- back python prereq down to 2.2, should be sufficient
- Thu May 20 2004 John Dennis <jdennis@redhat.com>
3:2.1.5-3
- make python prereq be at least 2.3
- Tue May 18 2004 Jeremy Katz <katzj@redhat.com> 3:2.1.5-2
- Mon May 17 2004 John Dennis <jdennis@redhat.com>
3:2.1.5-1
- bring up to latest 2.1.5 upstream release From Barry Warsaw:
Mailman 2.1.5, a bug fix release that also contains new support for
the Turkish language, and a few minor new features. Mailman 2.1.5
is a significant upgrade which should improve disk i/o performance,
administrative overhead for discarding held spams, and the behavior
of bouncing member disables. This version also contains a fix for
an exploit that could allow 3rd parties to retrieve member
passwords. It is thus highly recommended that all existing
sitesupgrade to the latest version
- Tue May 4 2004 Warren Togami <wtogami@redhat.com>
3:2.1.4-4
- #105638 fix bytecompile and rpm -V
- postun /etc/postfix/aliases fix
- clean uninstall (no more empty dirs)
- #115378 RedirectMatch syntax fix
- Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
- Fri Jan 9 2004 John Dennis
<jdennis@finch.boston.redhat.com> 3:2.1.4-1
- upgrade to new upstream release 2.1.4
- fixes bugs 106349,112851,105367,91463
- Wed Jun 4 2003 Elliot Lee <sopwith@redhat.com>
- Wed May 7 2003 John Dennis
<jdennis@finch.boston.redhat.com>
- bring up to next upstream release 2.1.2
- Sun May 4 2003 Florian La Roche
<Florian.LaRoche@redhat.de>
- fix typo in post script: mmusr -> mmuser
- Thu Apr 24 2003 John Dennis
<jdennis@finch.boston.redhat.com>
- fix bug 72004, 74483, 74484, 87856 – improper log rotation
- fix bug 88083 – mailman user/group needed to exist during
build
- fix bug 88144 – wrong %file attributes on mm_cfg.py
- fix bug 89221 – mailman user not created on install
- fix bug 89250 – wrong pid file name in initscript
- Wed Mar 5 2003 Florian La Roche
<Florian.LaRoche@redhat.de>
- change to /etc/rc.d/init.d as in all other rpms
- Thu Feb 20 2003 John Dennis
<jdennis@finch.boston.redhat.com>
- change mailman login shell from /bin/false to
/sbin/nologin
- Fri Feb 14 2003 John Dennis
<jdennis@finch.boston.redhat.com>
- bring package up to 2.1.1 release, add /usr/share/doc
files
- Sat Feb 1 2003 Florian La Roche
<Florian.LaRoche@redhat.de>
- make the icon dir owned by root:root as in other rpms
- Fri Jan 31 2003 John Dennis
<jdennis@finch.boston.redhat.com>
- various small tweaks to the spec file to make installation
cleaner
- use /usr/bin/python when compiling, redirect compile output to
/dev/null,
- don’t run update in %post, let the user do it, remove the .pyc
files in %postun,
- add setting of MAILHOST and URLHOST to localhost.localdomain,
don’t let
- configure set them to the build machine.
- Mon Jan 27 2003 John Dennis
<jdennis@finch.boston.redhat.com>
- add the cross site scripting (xss) security patch to version
2.1
- Fri Jan 24 2003 John Dennis
<jdennis@finch.boston.redhat.com>
- do not start mailman service in %post
- Wed Jan 22 2003 Tim Powers <timp@redhat.com>
- Mon Jan 20 2003 John Dennis
<jdennis@finch.boston.redhat.com>
- 1) remove config patch, mailmanctl was not the right file to
install in init.d,
- it needed to be scripts/mailman
- 2) rename httpd-mailman.conf to mailman.conf, since the file
now lives
- in httpd/conf.d directory the http prefix is redundant and
inconsistent
- with the other file names in that directory.
- Tue Jan 7 2003 John Dennis
<jdennis@finch.boston.redhat.com>
- Bring package up to date with current upstream source, 2.1
- Fix several install/packaging problems that were in upstream
source
- Add multiple mail group functionality
- Fix syntax error in fblast.py
- Remove the forced setting of mail host and url host in
mm_cfg.py
- Tue Nov 12 2002 Tim Powers <timp@redhat.com> 2.0.13-4
- remove files from $$RPM_BUILD_ROOT that we don’t intent to
ship
- Wed Aug 14 2002 Nalin Dahyabhai <nalin@redhat.com>
2.0.13-3
- set MAILHOST and WWWHOST in case the configure script can’t
figure out the local host name
- Fri Aug 2 2002 Nalin Dahyabhai <nalin@redhat.com>
2.0.13-2
- Fri Aug 2 2002 Nalin Dahyabhai <nalin@redhat.com>
2.0.13-1
- specify log files individually, per faq wizard
- update to 2.0.13
- Wed May 22 2002 Nalin Dahyabhai <nalin@redhat.com>
2.0.11-1
- Fri Apr 5 2002 Nalin Dahyabhai <nalin@redhat.com> 2.0.9-1
- include README.QMAIL in with the docs (#58887)
- include README.SENDMAIL and README.EXIM in with the docs
- use an included httpd.conf file instead of listing the
configuration directives in the %description, which due to specspo
magic might look wrong sometimes (part of #51324)
- interpolate the DEFAULT_HOST_NAME value in mm.cfg into both the
DEFAULT_URL and MAILMAN_OWNER (#57987)
- move logs to /var/log/mailman, qfiles to /var/spool/mailman,
rotate logs in the log directory (#48724)
- raise exceptions when someone tries to set the admin address
for a list to that of the admin alias (#61468)
- Thu Apr 4 2002 Nalin Dahyabhai <nalin@redhat.com>
- fix a default permissions problem in
/var/mailman/archives/private, reported by Johannes Erdfelt
- update to 2.0.9
- Tue Apr 2 2002 Nalin Dahyabhai <nalin@redhat.com>
- make the symlink in /etc/smrsh relative
- Tue Dec 11 2001 Nalin Dahyabhai <nalin@redhat.com>
2.0.8-1
- set FQDN and URL at build-time so that they won’t be set to the
host the RPM package is built on (#59177)
- Wed Nov 28 2001 Nalin Dahyabhai <nalin@redhat.com>
- Sat Nov 17 2001 Florian La Roche
<Florian.LaRoche@redhat.de> 2.0.7-1
- Wed Jul 25 2001 Nalin Dahyabhai <nalin@redhat.com>
2.0.6-1
- Mon Jun 25 2001 Nalin Dahyabhai <nalin@redhat.com>
- code in default user/group names/IDs
- Wed May 30 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to 2.0.5
- change the default hostname from localhost to
localhost.localdomain in the default configuration
- chuck configuration file settings other than those dependent on
the host name (the build system’s host name is not a good default)
(#32337)
- Tue Mar 13 2001 Nalin Dahyabhai <nalin@redhat.com>
- Tue Mar 6 2001 Nalin Dahyabhai <nalin@redhat.com>
- Wed Feb 21 2001 Nalin Dahyabhai <nalin@redhat.com>
- patch from Barry Warsaw (via mailman-developers) to not die on
broken Content-Type: headers
- Tue Jan 9 2001 Nalin Dahyabhai <nalin@redhat.com>
- Wed Dec 6 2000 Nalin Dahyabhai <nalin@redhat.com>
- update to 2.0 final release
- move the data to /var
- Fri Oct 20 2000 Nalin Dahyabhai <nalin@redhat.com>
- Thu Aug 3 2000 Nalin Dahyabhai <nalin@redhat.com>
- add note about adding FollowSymlinks so that archives work
- Wed Aug 2 2000 Nalin Dahyabhai <nalin@redhat.com>
- make the default owner root again so that root owns the
docs
- update to 2.0beta5, which fixes a possible security
vulnerability
- add smrsh symlink
- Mon Jul 24 2000 Prospector <prospector@redhat.com>
- Wed Jul 19 2000 Nalin Dahyabhai <nalin@redhat.com>
- update to beta4
- change uid/gid to apache.apache to match apache (#13593)
- properly recompile byte-compiled versions of the scripts
(#13619)
- change mailman alias from root to postmaster
- Sat Jul 1 2000 Nalin Dahyabhai <nalin@redhat.com>
- update to beta3
- drop bugs and arch patches (integrated into beta3)
- Tue Jun 27 2000 Nalin Dahyabhai <nalin@redhat.com>
- move web files to reside under /var/www
- move files from /usr/share to /usr/share
- integrate spot-fixes from mailman lists via gnome.org
- Mon Jun 19 2000 Nalin Dahyabhai <nalin@redhat.com>
- Tue May 23 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update to 2.0beta2 to pick up security fixes.
- Change equires python to list >= 1.5.2
- Mon Nov 8 1999 Bernhard Rosenkranzer <bero@redhat.com>
- Tue Sep 14 1999 Preston Brown <pbrown@redhat.com>
- Tue Jun 15 1999 Preston Brown <pbrown@redhat.com>
- security fix for cookies
- moved to /usr/share/mailman
- Fri May 28 1999 Preston Brown <pbrown@redhat.com>
- Fri May 7 1999 Preston Brown <pbrown@redhat.com>
- modifications to install scripts
- Thu May 6 1999 Preston Brown <pbrown@redhat.com>
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
2035fb6745f1e7450014d6fc93599fd6
SRPMS/mailman-2.1.5-32.fc3.src.rpm
bce1fd54e4b957e893fdcd36b9c65dad
x86_64/mailman-2.1.5-32.fc3.x86_64.rpm
89dcbb4182b5a49b3fe936232c0b397b
x86_64/debug/mailman-debuginfo-2.1.5-32.fc3.x86_64.rpm
660ab67c528290082041a69aebc3d437
i386/mailman-2.1.5-32.fc3.i386.rpm
b1e34a8085876f74c06922f291ccb5af
i386/debug/mailman-debuginfo-2.1.5-32.fc3.i386.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the ‘up2date’ command.
—
John Dennis <jdennis@redhat.com>
SUSE Linux
SUSE Security Announcement
Package: ImageMagick
Announcement-ID: SUSE-SA:2005:017
Date: Wed, 23 Mar 2005 14:00:00 +0000
Affected products: 8.2, 9.0, 9.1, 9.2 SUSE Linux Desktop 1.0 SUSE
Linux Enterprise Server 8, 9 Novell Linux Desktop 9
Vulnerability Type: remote code execution
Severity (1-10): 5
SUSE default package: no
Cross References: CAN-2005-0397 CAN-2005-0759 CAN-2005-0760
CAN-2005-0761 CAN-2005-0762
Content of this advisory:
- security vulnerability resolved: several security problems in
ImageMagick problem description
- solution/workaround
- special instructions and notes
- package location and checksums
- pending vulnerabilities, solutions, workarounds: See SUSE
Security Summary Report.
- standard appendix (further information)
1) problem description, brief discussion
This update fixes several security issues in the ImageMagick
program suite:
- A format string vulnerability was found in the display program
which could lead to a remote attacker being to able to execute code
as the user running display by providing handcrafted filenames of
images. This is tracked by the Mitre CVE ID CAN-2005-0397.
Andrei Nigmatulin reported 4 problems in older versions of
ImageMagick:
- A bug was found in the way ImageMagick handles TIFF tags. It is
possible that a TIFF image file with an invalid tag could cause
ImageMagick to crash. This is tracked by the Mitre CVE ID
CAN-2005-0759.
Only ImageMagick version before version 6 are affected.
- A bug was found in ImageMagick’s TIFF decoder. It is possible
that a specially crafted TIFF image file could cause ImageMagick to
crash. This is tracked by the Mitre CVE ID CAN-2005-0760.
Only ImageMagick version before version 6 are affected.
- A bug was found in the way ImageMagick parses PSD files. It is
possible that a specially crafted PSD file could cause ImageMagick
to crash. This is tracked by the Mitre CVE ID CAN-2005-0761.
Only ImageMagick version before version 6.1.8 are affected.
- A heap overflow bug was found in ImageMagick’s SGI parser. It
is possible that an attacker could execute arbitrary code by
tricking a user into opening a specially crafted SGI image file.
This is tracked by the Mitre CVE ID CAN-2005-0762.
Only ImageMagick version before version 6 are affected.
2) solution/workaround
Please install the updated packages.
3) special instructions and notes
None.
4) package location and checksums
Please download the update package for your distribution and
verify its integrity by the methods listed in section 3) of this
announcement. Then, install the package using the command “rpm -Fhv
file.rpm” to apply the update.
Our maintenance customers are being notified individually. The
packages are being offered to install from the maintenance web.
x86 Platform:
SUSE Linux 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/ImageMagick-6.0.7-4.6.i586.rpm
e0abc35e5b6e62c411d20ef6e2e9f977
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/ImageMagick-Magick++-6.0.7-4.6.i586.rpm
03e732ad0f84a86746b9c227fc89b445
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/ImageMagick-devel-6.0.7-4.6.i586.rpm
c284ca68e325b91406ddd7d89d469578
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/perl-PerlMagick-6.0.7-4.6.i586.rpm
1b266f8322f93bf46889bcede41807b2
SUSE Linux 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/ImageMagick-5.5.7-225.15.i586.rpm
f9b715bc0b7a903d7d9ed05bb185e305
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/ImageMagick-Magick++-5.5.7-225.15.i586.rpm
a2f7fc378cfe423636e85d41ce2e84a3
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/ImageMagick-devel-5.5.7-225.15.i586.rpm
bd64b2c1a6725453e5c76fb8fa6504a9
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/perl-PerlMagick-5.5.7-225.15.i586.rpm
b8b09bdc13ad121251b206b0c867250a
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/ImageMagick-5.5.7-225.15.src.rpm
25266f599e107cb3587b78311c3526d7
SUSE Linux 9.0:
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/ImageMagick-5.5.7-233.i586.rpm
efe3d14315a46951b3c9b67d77ae7e24
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/ImageMagick-Magick++-5.5.7-233.i586.rpm
d2edc9ca9c44981a804081ceee7995e8
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/ImageMagick-devel-5.5.7-233.i586.rpm
c596c37ffc1037edd206f2ed2b7aba8c
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/perl-PerlMagick-5.5.7-233.i586.rpm
0cdf7ec0f6a284fd1ecd0f8b4669f106
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/ImageMagick-5.5.7-233.src.rpm
388fc41c453baecab3249d0c5520e509
SUSE Linux 8.2:
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/ImageMagick-5.5.4-125.i586.rpm
f1fd06f68f5d1340aa48a1249a666b42
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/ImageMagick-Magick++-5.5.4-125.i586.rpm
476eb03a384a7f3295f0933bfd22037b
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/ImageMagick-devel-5.5.4-125.i586.rpm
1fe5babe00b1a2e3b29b27afdc49a5eb
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/perl-PerlMagick-5.5.4-125.i586.rpm
7b4954080bed5957fc4dafc139877ffb
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/ImageMagick-5.5.4-125.src.rpm
fb728261f74de1c886b8e89c6ccdc527
x86-64 Platform:
SUSE Linux 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/ImageMagick-6.0.7-4.6.x86_64.rpm
2b5031672b87983839255c62a8d2b6c6
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/ImageMagick-Magick++-6.0.7-4.6.x86_64.rpm
65e2f75380c5c09318de2c2d5341dd8f
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/ImageMagick-devel-6.0.7-4.6.x86_64.rpm
dd81443b6ddd154a7c0f5af0ba107686
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/perl-PerlMagick-6.0.7-4.6.x86_64.rpm
a7900a8703a0fe17ff64ff9dcb9e52f4
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/ImageMagick-6.0.7-4.6.src.rpm
610adb7f10d61555aa46b27e29eebf05
SUSE Linux 9.1:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/ImageMagick-5.5.7-225.15.x86_64.rpm
6ea3b05343ea37f54b0912576e5bc6e7
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/ImageMagick-Magick++-5.5.7-225.15.x86_64.rpm
7b9e5c6e6094abc2f11f2817ca513b89
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/ImageMagick-devel-5.5.7-225.15.x86_64.rpm
c0f61d39f21a1b365f301515230a357b
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/perl-PerlMagick-5.5.7-225.15.x86_64.rpm
c9e54772c1cd1ad6a06bafd926377095
source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/ImageMagick-5.5.7-225.15.src.rpm
49128ab7a073c5c65883801bafa60a6b
SUSE Linux 9.0:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/ImageMagick-5.5.7-233.x86_64.rpm
7b7cbce2c54582984747576efe1d551d
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/ImageMagick-Magick++-5.5.7-233.x86_64.rpm
108267eb5c839b17b878d63a351c1ee1
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/ImageMagick-devel-5.5.7-233.x86_64.rpm
34a4699f690dc4b11c347274abddb6fe
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/perl-PerlMagick-5.5.7-233.x86_64.rpm
83d2c15b6ba09df08b560d131de2cf5b
source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/ImageMagick-5.5.7-233.src.rpm
a5c25371a0c311c715dd331309649a57
5) Pending vulnerabilities in SUSE Distributions and
Workarounds:
See SUSE Security Summary Report.
6) standard appendix: authenticity verification, additional
information
- Package authenticity verification:
SUSE update packages are available on many mirror ftp servers
all over the world. While this service is being considered valuable
and important to the free and open source software community, many
users wish to be sure about the origin of the package and its
content before installing the package. There are two verification
methods that can be used independently from each other to prove the
authenticity of a downloaded file or rpm package:
- md5sums as provided in the (cryptographically signed)
announcement.
- using the internal gpg signatures of the rpm package.
- execute the command md5sum <name-of-the-file.rpm> after
you downloaded the file from a SUSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in
the announcement. Since the announcement containing the checksums
is cryptographically signed (usually using the key security@suse.de), the checksums show
proof of the authenticity of the package. We disrecommend to
subscribe to security lists which cause the email message
containing the announcement to be modified so that the signature
does not match after transport through the mailing list software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless.
- rpm package signatures provide an easy way to verify the
authenticity of an rpm package. Use the command rpm -v –checksig
<file.rpm> to verify the signature of the package, where
<file.rpm> is the filename of the rpm package that you have
downloaded. Of course, package authenticity verification can only
target an un-installed rpm package file. Prerequisites:
- gpg is installed
- The package is signed using a certain key. The public part of
this key must be installed by the gpg program in the directory
~/.gnupg/ under the user’s home directory who performs the
signature verification (usually root). You can import the key that
is used by SUSE in rpm packages for SUSE Linux by saving this
announcement to a file (“announcement.txt”) and running the command
(do “su -” to be root): gpg –batch; gpg < announcement.txt |
gpg –import SUSE Linux distributions version 7.1 and thereafter
install the key “build@suse.de”
upon installation or upgrade, provided that the package gpg is
installed. The file containing the public key is placed at the
top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de
.
- SUSE runs two security mailing lists to which any interested
party may subscribe:
suse-security@suse.com
- general/linux/SUSE security discussion. All SUSE security
announcements are sent to this list. To subscribe, send an email to
<suse-security-subscribe@suse.com>.
suse-security-announce@suse.com
- SUSE’s announce-only mailing list. Only SUSE’s security
announcements are sent to this list. To subscribe, send an email
to
<suse-security-announce-subscribe@suse.com>.
For general information or the frequently asked questions (faq)
send mail to:
<suse-security-info@suse.com>
or <suse-security-faq@suse.com>
respectively.
SUSE’s security contact is <security@suse.com> or
<security@suse.de>.
@suse.de>.
The <security@suse.de> public key is
listed below.
The information in this advisory may be distributed or
reproduced, provided that the advisory is not modified in any way.
In particular, it is desired that the clear-text signature shows
proof of the authenticity of the text.
SUSE Linux AG makes no warranties of any kind whatsoever with
respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>
