mailman-2.1.35-bp152.7.6.1

- Update to 2.1.35 to fix 2 security issues:
  - A potential for for a list member to carry out an off-line brute force
    attack to obtain the list admin password has been reported by Andre
    Protas, Richard Cloke and Andy Nuttall of Apple.  This is fixed.
    CVE-2021-42096  (boo#1191959, LP:#1947639)
  - A CSRF attack via the user options page could allow takeover of a users
    account.  This is fixed.  CVE-2021-42097  (boo#1191960, LP:#1947640)
  - Add reproducible.patch to use fixed build date in mailman-config
    to make package build reproducible (boo#1047218)

- Update to 2.1.34:
  - The fix for lp#1859104 can result in ValueError being thrown
    on attempts to subscribe to a list. This is fixed and
    extended to apply REFUSE_SECOND_PENDING to unsubscription as
    well. (lp#1878458)
  - DMARC mitigation no longer misses if the domain name returned
    by DNS contains upper case. (lp#1881035)
  - A new WARN_MEMBER_OF_SUBSCRIBE setting can be set to No to
    prevent mailbombing of a member of a list with private
    rosters by repeated subscribe attempts. (lp#1883017)
  - Very long filenames for scrubbed attachments are now
    truncated. (lp#1884456)
  - A content injection vulnerability via the private login page
    has been fixed. CVE-2020-15011  (lp#1877379, bsc#1173369)
  - A content injection vulnerability via the options login page
    has been discovered and reported by Vishal Singh.
    CVE-2020-12108 (lp#1873722, bsc#1171363)
  - Bounce recognition for a non-compliant Yahoo format is added.
  - Archiving workaround for non-ascii in string.lowercase in
    some Python packages is added.
  - Thanks to Jim Popovitch, there is now
    a dmarc_moderation_addresses list setting that can be used to
    apply dmarc_moderation_action to mail From: addresses listed
    or matching listed regexps. This can be used to modify mail
    to addresses that don't accept external mail From:
    themselves.
  - There is a new MAX_LISTNAME_LENGTH setting. The fix for
    lp#1780874 obtains a list of the names of all the all the
    lists in the installation in order to determine the maximum
    length of a legitimate list name. It does this on every web
    access and on sites with a very large number of lists, this
    can have performance implications. See the description in
    Defaults.py for more information.
  - Thanks to Ralf Jung there is now the ability to add text
    based captchas (aka textchas) to the listinfo subscribe form.
    See the documentation for the new CAPTCHA setting in
    Defaults.py for how to enable this. Also note that if you
    have custom listinfo.html templates, you will have to add
    a <mm-captcha-ui> tag to those templates to make this work.
    This feature can be used in combination with or instead of
    the Google reCAPTCHA feature added in 2.1.26.
  - Thanks to Ralf Hildebrandt the web admin Membership
    Management section now has a feature to sync the list's
    membership with a list of email addresses as with the
    bin/sync_members command.
  - There is a new drop_cc list attribute set from
    DEFAULT_DROP_CC. This controls the dropping of addresses from
    the Cc: header in delivered messages by the duplicate
    avoidance process. (lp#1845751)
  - There is a new REFUSE_SECOND_PENDING mm_cfg.py setting that
    will cause a second request to subscribe to a list when there
    is already a pending confirmation for that user. This can be
    set to Yes to prevent mailbombing of a third party by
    repeatedly posting the subscribe form. (lp#1859104)
  - Fixed the confirm CGI to catch a rare TypeError on
    simultaneous confirmations of the same token. (lp#1785854)
  - Scrubbed application/octet-stream MIME parts will now be
    given a .bin extension instead of .obj. CVE-2020-12137
    (lp#1886117)
  - Added bounce recognition for a non-compliant opensmtpd DSN
    with Action: error. (lp#1805137)
  - Corrected and augmented some security log messages.
    (lp#1810098)
  - Implemented use of QRUNNER_SLEEP_TIME for bin/qrunner
  - -runner=All. (lp#1818205)
  - Leading/trailing spaces in provided email addresses for login
    to private archives and the user options page are now
    ignored. (lp#1818872)
  - Fixed the spelling of the --no-restart option for mailmanctl.
  - Fixed an issue where certain combinations of charset and
    invalid characters in a list's description could produce
    a List-ID header without angle brackets. (lp#1831321)
  - With the Postfix MTA and virtual domains, mappings for the
    site list -bounces and -request addresses in each virtual
    domain are now added to data/virtual-mailman (-owner was done
    in 2.1.24). (lp#1831777)
  - The paths.py module now extends sys.path with the result of
    site.getsitepackages() if available. (lp#1838866)
  - A bug causing a UnicodeDecodeError in preparing to send the
    confirmation request message to a new subscriber has been
    fixed. (lp#1851442)
  - The SimpleMatch heuristic bounce recognizer has been improved
    to not return most invalid email addresses. (lp#1859011)
- Remove patch included upstream:
  - CVE-2020-12108_injection_options.patch
- Patches reapplied on the new tarball:
  - mailman-2.1.14-editarch.patch
  - mailman-2.1.14-python.dif
  - mailman-2.1.4-notavaliduser.patch
  - mailman-2.1.5-no_extra_asian.dif
  - mailman-weak-password.diff

- Add CVE-2020-12108_injection_options.patch fixing bsc#1171363
  (CVE-2020-12108)
- Make two remaining patches -p1 as well:
  - mailman-2.1.26-list_lists.patch
  - mailman-wrapper.patch

- Don't default to invalid hosts for DEFAULT_EMAIL_HOST
  (bsc#682920), adjust mailman-2.1.14-python.dif.
- Reapply and adjust remaining patches:
  - mailman-2.1.14-editarch.patch
  - mailman-2.1.4-dirmode.patch
  - mailman-2.1.4-notavaliduser.patch
  - mailman-2.1.5-no_extra_asian.dif
  - mailman-weak-password.diff

- Fix rights and ownership on /var/lib/mailman/archives (bsc#1167068)

- Don't use explicit chown and chmod in %post, but rather use
  %attr in files. Avoid bsc#1154328 (CVE-2019-3693)

- boo#1095112: add /etc/mailman/mailman.cgi-gid and fix user
  rights.

- update to 2.1.29:
  * Fixed the listinfo and admin overview pages that were broken

- update to 2.1.28:
  * A content spoofing vulnerability with invalid list name messages in
    the web UI has been fixed.  CVE-2018-13796 bsc#1101288
  * It is now possible to edit HTML and text templates via the web admin
    UI in a supported language other than the list's preferred_language.
  * The Japanese translation has been updated
  * The German translation has been updated
  * The Esperanto translation has been updated
  * The BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE feature added in 2.1.27 was
    not working.  This is fixed.
  * Escaping of HTML entities for the web UI is now done more selectively.

- update to 2.1.27
  * Existing protections against malicious listowners injecting evil
    scripts into listinfo pages have had a few more checks added.
    JVN#00846677/JPCERT#97432283/CVE-2018-0618 (boo#1099510)
  * A few more error messages have had their values HTML escaped.
    JVN#00846677/JPCERT#97432283/CVE-2018-0618 (boo#1099510)
  * The hash generated when SUBSCRIBE_FORM_SECRET is set could have been
    the same as one generated at the same time for a different list and
    IP address.  While this is not thought to be exploitable in any way,
    the generation has been changed to avoid this.
  * An option has been added to bin/add_members to issue invitations
    instead of immediately adding members.
  * A new BLOCK_SPAMHAUS_LISTED_IP_SUBSCRIBE setting has been added to
    enable blocking web subscribes from IPv4 addresses listed in Spamhaus
    SBL, CSS or XBL.  It will work with IPv6 addresses if Python's
    py2-ipaddress module is installed.  The module can be installed via pip
    if not included in your Python.
  * Mailman has a new 'security' log and logs
    authentication failures to the various web CGI functions.  The logged
    data include the remote IP and can be used to automate blocking of IPs
    with something like fail2ban.  Since Mailman 2.1.14, these have returned
    an http 401 status and the information should be logged by the web
    server, but this new log makes that more convenient.  Also, the
    'mischief' log entries for 'hostile listname' noe include the remote IP
    if available.
  * admin notices of (un)subscribes now may give
    the source of the action.  This consists of a %(whence)s replacement
    that has been added to the admin(un)subscribeack.txt templates.  Thanks
    to Yasuhito FUTATSUKI for updating the non-English templates and help
    with internationalizing the reasons.
  * there is a new
    BLOCK_SPAMHAUS_LISTED_DBL_SUBSCRIBE setting to enable blocking web
    subscribes for addresses in domains listed in the Spamhaus DBL.
  * i18n & Bugfixes
  * for further details see NEWS

- Fix install prefix for some of the files
- Install license file

- Sort out with spec-cleaner
- Use direct paths in post scriptlets and properly state their deps
- Do not attempt user creation during build, fails anyway
- Use proper user creation code in scriptlets

- update to 2.1.26
  * An XSS vulnerability in the user options CGI could allow a crafted
    URL to execute arbitrary javascript in a user's browser.  A
    related issue could expose information on a user's options page
    without requiring login. (CVE-2018-5950) bsc#1077358
  * Google reCAPTCHA v2
  * New bin/mailman-config command to display various information
    about this Mailman version and how it was configured.
  * bug fixes, i18n updates
  * for further details see NEWS
- updato to 2.1.25
  * The admindb held subscriptions listing now includes the date of the
    most recent request from the address.
  * bug fixes, i18n updates
  * for further details see NEWS
- update to 2.1.24
  * bug fixes, i18n updates
  * for further details see NEWS
- Rename and refresh patch:
  * mailman-2.1.2-list_lists.patch to mailman-2.1.26-list_lists.patch

- remove distributable flag (which is always true):
  drops SuSEconfig.mailman-SuSE, mailman-SuSE.patch, mailman-SuSE2.patch

- Replace references to /var/adm/fillup-templates with new
  %_fillupdir macro (boo#1069468)

- Fix pre script for usage with more recent postfix versions.

- Require system user wwwrun

- Require fillup and insserv if we call them

- update to 2.1.23
  * CSRF protection in user options page (CVE-2016-6893)
  * header_filter_rules matching: headers and patterns are all
    decoded to unicode
  * another possible REMOVE_DKIM_HEADERS setting
  * SMTPDirect.py can now do SASL authentication and STARTTLS
  * bug fixes, i18n updates
  * for further details see NEWS

- update to 2.1.22
  * bug fixes, i18n updates; for details see NEWS

- updated mailman-apache2.conf to support "require" syntax of recent
  apache httpd

- update to 2.1.21
  * new dmarc_none_moderation_action list setting
  * new feature to automatically turn on moderation for single list
    members (spam prevention)
  * new mm_cfg.py setting GLOBAL_BAN_LIST
  * translation updates and bug fixes
  * for more details see NEWS and Mailman/Defaults.py
- mailman-2.1.4-dirmode.patch: adjusted to 2.1.21

- Use url for source
- Add gpg signature

- update to 2.1.20
  * fix for CVE-2015-2775 (path traversal vulnerability)
  * new Address Change sub-section in the web admin Membership
    Management section
  * translation updates and bug fixes

- update to 2.1.19
  * backports from 2.2 development branch
  - new list attribute 'subscribe_auto_approval'
  - added 'automate' option to bin/newlist
  - processing of Topics regular expressions has changed
  - added real name display to the web roster, controlled by new
    ROSTER_DISPLAY_REALNAME setting
  - bug fixes
  * new list attribute dmarc_wrapped_message_text and
    DEFAULT_DMARC_WRAPPED_MESSAGE_TEXT setting
  * new list attribute equivalent_domains and DEFAULT_EQUIVALENT_DOMAINS
    setting
  * new WEB_HEAD_ADD setting
  * new DEFAULT_SUBSCRIBE_OR_INVITE setting
  * new list attribute bounce_notify_owner_on_bounce_increment and
    DEFAULT_BOUNCE_NOTIFY_OWNER_ON_BOUNCE_INCREMENT setting
  * log files, request.pck files and heldmsg-* files are no longer created
    world readable
  * i18n updates
  * bug fixes

- update to 2.1.18
  * mailman now requires dnspython
  * new dmarc_moderation_action feature and corresponging list and default
    settings
  * bug fixes

- rename README.SuSE
- update to 2.1.17
  * option to strip/keep non-standard headers in anonymous lists
  * option to make membership checks on mail-news gateway
  * UI improvements for admin interface
  * digest_size_threshold = 0 now means that *no* digest is sent
    based on size
  * option to CSRF-protect subscription form
  * admins can add members with mail delivery disabled
  * configurable name of master lock
  * updated translations
- updated list_lists patch because upstream list_lists now has
  an argument -p / --public-archive that does the same as SUSE-specific
  argument -u / --public-archives. Both spellings are supported
  and are synonymous.