Index: NEWS
===================================================================
RCS file: /cvsroot/mailman/mailman/NEWS,v
retrieving revision 1.25.2.1
retrieving revision 1.25.2.2
diff -u -r1.25.2.1 -r1.25.2.2
--- NEWS	2001/01/03 07:08:33	1.25.2.1
+++ NEWS	2001/03/03 06:51:26	1.25.2.2
@@ -4,6 +4,36 @@
 
 Here is a history of user visible changes to Mailman.
 
+2.0.2 (03-Mar-2001)
+
+    Security fix:
+
+    - A fix for a potential privacy exploit where a clever list
+      administrator could gain access to user passwords.  This doesn't
+      allow them to do much more harm to the user then they normally
+      could, but they still shouldn't have access to the passwords.
+
+    Bug fixes:
+
+    - In the admindb page, don't complain when approving a
+      subscription of someone who's already on the list (SF bug
+      #222409 - Thomas Wouters).
+
+      Also, quote for HTML the Subject: text printed for held
+      messages, otherwise messages with e.g. "Subject: </table>" could
+      royally screw page formatting.
+
+    - In Netscape.py bounce processor, don't bomb out on ill-formed
+      messages (no semi-colon separating parameters), otherwise mail
+      delivery could grind to a halt.  Bug reported by Kambiz
+      Aghaiepour.
+
+    - Docstring fix bin/newlist to remove mention of "immediate"
+      argument (Thomas Wouters).
+
+    - Fix for bin/update when PREFIX != VAR_PREFIX (SF bug #229794 --
+      Thomas Wouters).
+
 2.0.1 (03-Jan-2001)
 
     Bug fix release, namely fixes a buglet in bin/withlist affecting
Index: UPGRADING
===================================================================
RCS file: /cvsroot/mailman/mailman/UPGRADING,v
retrieving revision 1.16.2.2
retrieving revision 1.16.2.3
diff -u -r1.16.2.2 -r1.16.2.3
--- UPGRADING	2001/01/03 06:35:43	1.16.2.2
+++ UPGRADING	2001/03/03 06:54:25	1.16.2.3
@@ -33,6 +33,11 @@
 
     http://mail.python.org/pipermail/mailman-users/2000-September/006826.html
 
+UPGRADING FROM 2.0.1 to 2.0.2
+
+    Nothing much more than running "make install" (after upgrading)
+    should be necessary.
+
 UPGRADING FROM 2.0 to 2.0.1
 
     Nothing much more than running "make install" (after upgrading)
@@ -47,7 +52,7 @@
 
     The cron jobs for Mailman 2.0 final have changed considerably,
     including the frequency with which they run.  You should reload
-    misc/crontab.in for the `mailman' user to get the right settings.
+    cron/crontab.in for the `mailman' user to get the right settings.
     See the INSTALL file for details.
 
     FAILURE TO DO THIS WILL RESULT IN A LESS THAN OPTIMALLY FUNCTIONAL
Index: Mailman/ListAdmin.py
===================================================================
RCS file: /cvsroot/mailman/mailman/Mailman/ListAdmin.py,v
retrieving revision 1.47
retrieving revision 1.47.2.1
diff -u -r1.47 -r1.47.2.1
--- Mailman/ListAdmin.py	2000/11/08 19:19:55	1.47
+++ Mailman/ListAdmin.py	2001/03/02 23:32:15	1.47.2.1
@@ -326,9 +326,13 @@
         else:
             # subscribe
             assert value == mm_cfg.SUBSCRIBE
-            self.ApprovedAddMember(addr, password, digest)
-            # TBD: disgusting hack: ApprovedAddMember() can end up closing the
-            # request database.
+            try:
+                self.ApprovedAddMember(addr, password, digest, lang)
+            except Errors.MMAlreadyMember:
+                # User has already been subscribed, after sending the request
+                pass
+            # TBD: disgusting hack: ApprovedAddMember() can end up closing
+            # the request database.
             self.__opendb()
         return REMOVE
 
Index: Mailman/Version.py
===================================================================
RCS file: /cvsroot/mailman/mailman/Mailman/Version.py,v
retrieving revision 1.20.2.1
retrieving revision 1.20.2.2
diff -u -r1.20.2.1 -r1.20.2.2
--- Mailman/Version.py	2001/01/03 06:49:34	1.20.2.1
+++ Mailman/Version.py	2001/03/03 06:19:15	1.20.2.2
@@ -1,4 +1,4 @@
-# Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc.
+# Copyright (C) 1998,1999,2000,2001 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -15,7 +15,7 @@
 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
 # Mailman version
-VERSION = "2.0.1"
+VERSION = "2.0.2"
 
 # And as a hex number in the manner of PY_VERSION_HEX
 ALPHA = 0xa
@@ -27,7 +27,7 @@
 
 MAJOR_REV = 2
 MINOR_REV = 0
-MICRO_REV = 1
+MICRO_REV = 2
 REL_LEVEL = FINAL
 # at most 15 beta releases!
 REL_SERIAL = 0
Index: Mailman/Bouncers/Netscape.py
===================================================================
RCS file: /cvsroot/mailman/mailman/Mailman/Bouncers/Netscape.py,v
retrieving revision 1.5
retrieving revision 1.5.2.2
diff -u -r1.5 -r1.5.2.2
--- Mailman/Bouncers/Netscape.py	2000/06/20 05:40:36	1.5
+++ Mailman/Bouncers/Netscape.py	2001/02/20 23:25:08	1.5.2.2
@@ -49,8 +49,10 @@
     #     multipart/mixed;
     # TBD: should we tighten this check?
     if msg.getmaintype() <> 'multipart':
-        return None
+        return
     boundary = msg.getparam('boundary')
+    if boundary is None:
+        return
     msg.fp.seek(0)
     mfile = multifile.MultiFile(msg.fp)
     mfile.push(boundary)
Index: Mailman/Cgi/admindb.py
===================================================================
RCS file: /cvsroot/mailman/mailman/Mailman/Cgi/admindb.py,v
retrieving revision 1.36
retrieving revision 1.36.2.1
diff -u -r1.36 -r1.36.2.1
--- Mailman/Cgi/admindb.py	2000/09/29 00:05:05	1.36
+++ Mailman/Cgi/admindb.py	2001/03/03 06:02:01	1.36.2.1
@@ -1,4 +1,4 @@
-# Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc.
+# Copyright (C) 1998,1999,2000,2001 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -186,7 +186,7 @@
     t.AddRow([Bold('From:'), sender])
     row, col = t.GetCurrentRowIndex(), t.GetCurrentCellIndex()
     t.AddCellInfo(row, col-1, align='right')
-    t.AddRow([Bold('Subject:'), subject])
+    t.AddRow([Bold('Subject:'), cgi.escape(subject)])
     t.AddCellInfo(row+1, col-1, align='right')
     t.AddRow([Bold('Reason:'), reason])
     t.AddCellInfo(row+2, col-1, align='right')
Index: Mailman/Handlers/Decorate.py
===================================================================
RCS file: /cvsroot/mailman/mailman/Mailman/Handlers/Decorate.py,v
retrieving revision 1.7
retrieving revision 1.7.2.1
diff -u -r1.7 -r1.7.2.1
--- Mailman/Handlers/Decorate.py	2000/09/15 17:19:19	1.7
+++ Mailman/Handlers/Decorate.py	2001/03/03 06:49:11	1.7.2.1
@@ -30,6 +30,9 @@
         # Digests already have their own header and footers attached.
         return
     d = Utils.SafeDict(mlist.__dict__)
+    # Certain attributes are sensitive
+    del d['password']
+    del d['passwords']
     d['cgiext'] = mm_cfg.CGIEXT
     # interpolate into the header
     try:
Index: admin/www/download.ht
===================================================================
RCS file: /cvsroot/mailman/mailman/admin/www/download.ht,v
retrieving revision 1.5.2.1
retrieving revision 1.5.2.2
diff -u -r1.5.2.1 -r1.5.2.2
--- admin/www/download.ht	2001/01/03 06:53:29	1.5.2.1
+++ admin/www/download.ht	2001/03/03 06:18:47	1.5.2.2
@@ -65,9 +65,9 @@
 <h3>Downloading</h3>
 
 <p>Version
-(<!-VERSION--->2.0.1<!-VERSION--->,
+(<!-VERSION--->2.0.2<!-VERSION--->,
 released on
-<!-DATE--->Jan  3 2001<!-DATE--->)
+<!-DATE--->Mar  3 2001<!-DATE--->)
 is the current GNU release.  It is available from the following mirror sites:
 
 <ul>
Index: admin/www/download.html
===================================================================
RCS file: /cvsroot/mailman/mailman/admin/www/download.html,v
retrieving revision 1.6.2.3
retrieving revision 1.6.2.4
diff -u -r1.6.2.3 -r1.6.2.4
--- admin/www/download.html	2001/01/05 16:23:07	1.6.2.3
+++ admin/www/download.html	2001/03/03 06:18:47	1.6.2.4
@@ -1,6 +1,6 @@
 <HTML>
 <!-- THIS PAGE IS AUTOMATICALLY GENERATED.  DO NOT EDIT. -->
-<!-- Fri Jan  5 11:17:23 2001 -->
+<!-- Sat Mar  3 01:06:34 2001 -->
 <!-- USING HT2HTML 1.1 -->
 <!-- SEE http://www.wooz.org/barry/software/pyware.html -->
 <!-- User-specified headers:
@@ -237,9 +237,9 @@
 <h3>Downloading</h3>
 
 <p>Version
-(<!-VERSION--->2.0.1<!-VERSION--->,
+(<!-VERSION--->2.0.2<!-VERSION--->,
 released on
-<!-DATE--->Jan  3 2001<!-DATE--->)
+<!-DATE--->Mar  3 2001<!-DATE--->)
 is the current GNU release.  It is available from the following mirror sites:
 
 <ul>
Index: bin/newlist
===================================================================
RCS file: /cvsroot/mailman/mailman/bin/newlist,v
retrieving revision 1.36
retrieving revision 1.36.2.1
diff -u -r1.36 -r1.36.2.1
--- bin/newlist	2000/11/15 12:49:18	1.36
+++ bin/newlist	2001/03/03 05:58:19	1.36.2.1
@@ -1,6 +1,6 @@
 #! /usr/bin/env python
 #
-# Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc.
+# Copyright (C) 1998,1999,2000,2001 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -26,7 +26,7 @@
     --quiet
         Normally the administrator is notified by email (after a prompt) that
         their list has been created.  This option suppresses that
-        notification.
+        notification and the prompting.
 
     -o file
     --output=file
@@ -36,11 +36,8 @@
     -h/--help
         Print this help text and exit.
 
-You can specify as many of the arguments as you want on the command line. 
-The optional <immediate> argument, if present, means to send out the notice 
-immediately.  Otherwise, the script hangs pending input, to give time for
-the person creating the list to customize it before sending the admin an
-email notice about the existence of the new list.
+You can specify as many of the arguments as you want on the command line:
+you will be prompted for the missing ones.
 
 Note that listnames are forced to lowercase.
 """
Index: bin/update
===================================================================
RCS file: /cvsroot/mailman/mailman/bin/update,v
retrieving revision 1.24
retrieving revision 1.24.2.1
diff -u -r1.24 -r1.24.2.1
--- bin/update	2000/11/01 02:31:28	1.24
+++ bin/update	2001/03/02 23:19:33	1.24.2.1
@@ -72,7 +72,10 @@
 def makeabs(relpath):
     return os.path.join(mm_cfg.PREFIX, relpath)
 
+def make_varabs(relpath):
+    return os.path.join(mm_cfg.VAR_PREFIX, relpath)
 
+
 
 def dolist(listname):
     errors = 0
@@ -83,11 +86,12 @@
         print 'WARNING: could not acquire lock for list:', listname
         return 1
 
-    mbox_dir = makeabs('archives/private/%s.mbox' % (listname))
-    mbox_file = makeabs('archives/private/%s.mbox/%s' % (listname, listname))
+    mbox_dir = make_varabs('archives/private/%s.mbox' % (listname))
+    mbox_file = make_varabs('archives/private/%s.mbox/%s' % (listname,
+                                                             listname))
 
-    o_pub_mbox_file = makeabs('archives/public/%s' % (listname))
-    o_pri_mbox_file = makeabs('archives/private/%s' % (listname))
+    o_pub_mbox_file = make_varabs('archives/public/%s' % (listname))
+    o_pri_mbox_file = make_varabs('archives/private/%s' % (listname))
 
     html_dir = o_pri_mbox_file
     o_html_dir = makeabs('public_html/archives/%s' % (listname))
@@ -193,9 +197,9 @@
     # save the new variables and
     # let it create public symlinks if necessary
     #
-    mlist.archive_directory = makeabs('archives/private/%s' % (listname))
-    mlist.private_archive_file_dir = makeabs('archives/private/%s.mbox' %
-                                             listname)
+    mlist.archive_directory = make_varabs('archives/private/%s' % (listname))
+    mlist.private_archive_file_dir = make_varabs('archives/private/%s.mbox' %
+                                                 listname)
     mlist.Save()
     #
     # check to see if pre-b4 list-specific templates are around