Bugs item #815297, was opened at 2003-09-30 19:42
Message generated for change (Settings changed) made by ber
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=815297&group_i…
Category: security/privacy
Group: 2.1 (stable)
Status: Open
Resolution: None
>Priority: 8
Submitted By: Bernhard Reiter (ber)
Assigned to: Nobody/Anonymous (nobody)
Summary: Breaking signatures in message/rfc822 attachement!
Initial Comment:
Mailman _must_ not touch MIME-parts which are nested
more deeply in the mail. As tested with Mailman 2.1.2,
header lines will be sometimes reformatted in
message/rfc822 attachments which will break the OpenPGP
signature
(also conforming to the PGP/MIME standard) on that part.
I'm attaching a simple email with on long header.
Forward this as MIME part and sign it sending it
through Mailman,
the signature will be broken.
This is an email security affecting bug, because if people
start believing that a *BAD* signature does not mean much,
because they get many broken by mailman, they will not
react
to a seriously manipulated email anymore!
----------------------------------------------------------------------
Comment By: Marc Mutz (mmutz)
Date: 2003-10-03 17:54
Message:
Logged In: YES
user_id=82377
This is not limited to message/rfc822 at all:
As a specific example, create a message with an attachment
and add the header
Content-Disposition: attachment; filename="more-than-70-chars.
txt"
(all in a single line), then send it through a mailman-managed ml.
Result: mailman "fixes" the message to look like
Content-Disposition: attachment;
\tfilename="more-than-70-chars.txt"
It even does that inside a multipart/signed part, and this is
where it breaks the signature verification.
----------------------------------------------------------------------
Comment By: Bernhard Reiter (ber)
Date: 2003-09-30 19:46
Message:
Logged In: YES
user_id=113859
Here is the email signed by myself and broken
after delivery through mailman. Check the "To:" header line.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=815297&group_i…
Bugs item #870028, was opened at 2004-01-03 14:09
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=870028&group_i…
Category: Web/CGI
Group: 2.1 (stable)
Status: Open
Resolution: None
Priority: 7
Submitted By: Barry A. Warsaw (bwarsaw)
Assigned to: Barry A. Warsaw (bwarsaw)
Summary: html in listinfo is quoted
Initial Comment:
If you enter html into the 'info' text area, the
listinfo page sees that html as quoted, not as valid
html. This is a result of the XSS hole closure in
2.1.4, but some innocent tags should be allowed back in.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=870028&group_i…
Patches item #869644, was opened at 2004-01-03 00:45
Message generated for change (Comment added) made by berndts
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=869644&group_i…
Category: Web UI
Group: Mailman 2.1
Status: Closed
Resolution: Accepted
Priority: 5
Submitted By: Stephan Berndts (berndts)
Assigned to: Barry A. Warsaw (bwarsaw)
Summary: Fix: Error accessing priv. roster/arch w/ non-member address
Initial Comment:
Mailman 2.1.4 is producing a bug if one tries to login to a private
roster or archive with an email address which is not a member of
the respective mailing list.
This patch solves the problem.
----------------------------------------------------------------------
>Comment By: Stephan Berndts (berndts)
Date: 2004-01-03 14:02
Message:
Logged In: YES
user_id=129854
I should have included a traceback -- sorry.
The error occurs even if you already have a Mailman cookie for another
mailing list and try to login to a private roster/ archive afterwards. (With
another address?)
The linenumbers may differ from a fresh Mailman 2.1.4 installation as I
applied some patches.
Traceback (most recent call last):
File "/usr/local/mailman/scripts/driver", line 87, in run_main
main()
File "/usr/local/mailman/Mailman/Cgi/private.py", line 141, in main
password, username):
File "/usr/local/mailman/Mailman/SecurityManager.py", line 220, in
WebAuthenticate
ok = self.CheckCookie(ac, user)
File "/usr/local/mailman/Mailman/SecurityManager.py", line 300, in
CheckCookie
ok = self.__checkone(c, authcontext, user)
File "/usr/local/mailman/Mailman/SecurityManager.py", line 311, in
__checkone
key, secret = self.AuthContextInfo(authcontext, user)
File "/usr/local/mailman/Mailman/SecurityManager.py", line 105, in
AuthContextInfo
secret = self.getMemberPassword(user)
File "/usr/local/mailman/Mailman/OldStyleMemberships.py", line 102, in
getMemberPassword
raise Errors.NotAMemberError, member
NotAMemberError: someaddress
----------------------------------------------------------------------
Comment By: Barry A. Warsaw (bwarsaw)
Date: 2004-01-03 02:15
Message:
Logged In: YES
user_id=12800
Someone I downloaded an older SecurityManager.py.patch. I
grabbed it again and now see what you're talking about.
Here's one way the bug can be manifest: if you were a member
when you logged in to read the archives, but got
subsequently removed before your cookie expired (i.e. your
browser exited). Is there another way this crash can happen?
----------------------------------------------------------------------
Comment By: Stephan Berndts (berndts)
Date: 2004-01-03 01:09
Message:
Logged In: YES
user_id=129854
That's a completely different position in the file!? I am in function
__checkone, not in Authenticate.
Your comment does not match my patch :)
----------------------------------------------------------------------
Comment By: Barry A. Warsaw (bwarsaw)
Date: 2004-01-03 01:02
Message:
Logged In: YES
user_id=12800
Are you sure you're looking at version 2.20.2.2 of
SecurityManager.py? Here's what the AuthUser clause looks like:
elif ac == mm_cfg.AuthUser:
if user is not None:
try:
if self.authenticateMember(user,
response):
return ac
except Errors.NotAMemberError:
pass
This doesn't match patch the patch, so I'm wondering if your
files are out of date?
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=869644&group_i…
Patches item #444879, was opened at 2001-07-26 18:01
Message generated for change (Comment added) made by ppsys
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=444879&group_i…
Category: Pipermail
Group: Mailman 2.2 / 3.0
Status: Open
Resolution: None
Priority: 3
Submitted By: Richard Barrett (ppsys)
Assigned to: Barry A. Warsaw (bwarsaw)
Summary: Archive indexer control to improve index
Initial Comment:
This patch is applicable to Mailman 2.0.6 release and
supercedes ealier patches 401669 and 402422.
This patch should improve the quality of search
results returned by search engines
such as htdig (http://www.htdig.org) where the seach
engine's index builder responds
to strings embedded in the html pages that are the
subject of the indexing. The
changes in this patch:
1. allow strings for enabling and disabling indexing
to be defined in mm_cfg.py.
2. embeds those strings in the pages generated as the
html version of a list's
archive.
By default nothing in the html changes. To get the
desired effect, you must
define ARCHIVE_INDEXING_ENABLE and
ARCHIVE_INDEXING_DISABLE in mm_cfg.py
You probably want to run this patch as follows:
cd <mailman 2.0.6 untarred and unzipped directory>
patch -p1 < <this patch file>
See also the associated patch for integrating the
htdig search software with mailman's internal archiver
ouput.
----------------------------------------------------------------------
>Comment By: Richard Barrett (ppsys)
Date: 2004-01-03 09:20
Message:
Logged In: YES
user_id=75166
indexing-2.1.4-0.1.patch is a MM 2.1.4 compatible version of the
patch
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2003-09-30 20:10
Message:
Logged In: YES
user_id=75166
indexing-2.1.3-0.1.patch is a MM 2.1.3 compatible version of
the patch
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2003-04-28 14:37
Message:
Logged In: YES
user_id=75166
indexing-2.1.2-0.1.patch.gz no longer needs patch #661138
to be applied as that patch was incorporated in the MM 2.1.2
release
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2003-04-28 14:34
Message:
Logged In: YES
user_id=75166
indexing-2.1.2-0.1.patch.gz is revised for MM 2.1.2
compatibility.
Before applying thisversion of the patch you must also apply
Bug fix patch #728836 to the source distribution
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2003-02-10 15:49
Message:
Logged In: YES
user_id=75166
indexing-2.1.1-0.1.patch.gz introduces no functional change
but applies without offset warnings to MM 2.1.1
Before applying this patch to the MM 2.1 source distribution
you must apply patch 661138 (corrects defects in some
HTML templates) to the distribution
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2003-01-02 16:05
Message:
Logged In: YES
user_id=75166
indexing-2.1-0.1.patch is a revised version of the patch
that is compatible with MM 2.1.
Before applying this patch to the MM 2.1 source distribution
you must apply patch 661138 (corrects defects in some
HTML templates) to the distribution
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-12-11 11:55
Message:
Logged In: YES
user_id=75166
indexing-2.1b6-0.1.patch is a revised version of the patch
that is compatible with MM 2.1b6
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-12-11 11:53
Message:
Logged In: YES
user_id=75166
indexing-2.1b6-0.1.patch is a revised version of the patch
that is compatible with MM 2.1b6
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-12-11 11:52
Message:
Logged In: YES
user_id=75166
indexing-2.1b6-0.1.patch is a revised version of the patch
that is compatible with MM 2.1b6
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-11-27 10:22
Message:
Logged In: YES
user_id=75166
indexing-2.1b5-0.1.patch is a revised version of the patch
that is compatible with MM 2.1b5
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-10-30 11:40
Message:
Logged In: YES
user_id=75166
indexing-2.1b4-0.1.patch is a revised version of the patch
that is compatible with MM 2.1b4
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-10-30 11:39
Message:
Logged In: YES
user_id=75166
indexing-2.1b4-0.1.patch is a revised version of the patch
that is compatible with MM 2.1b4
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-08-14 16:46
Message:
Logged In: YES
user_id=75166
indexing-2.1b3-0.1.patch is a revised version of the patch
that is compatible with MM 2.1b3
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-08-08 17:32
Message:
Logged In: YES
user_id=75166
An additional file, README.NOINDEXtags is added to
indexing-2.0.13-0.3.patch version that discusses the issue of
what tags to use for controlling various search engine
indexers.
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-08-08 17:19
Message:
Logged In: YES
user_id=75166
An error when building the indexing-2.1b2-0.1.patch meant
that copies of the originals of two of the files modified by this
version of the patch were added when the patch was run.
indexing-2.1b2-0.1.patch removes this error. However, the
original error is benign and can be corrected by deleting the
extra files HyperArch.py.orig and Defaults.py.in.orig.
An additional file, README.NOINDEXtags is added that
discusses the issue of what tags to use for controlling various
search engine indexers.
----------------------------------------------------------------------
Comment By: Barry A. Warsaw (bwarsaw)
Date: 2002-08-08 14:19
Message:
Logged In: YES
user_id=12800
Another question: is there no standard (de-facto or
otherwise) for generic markup that tells indexers not to
index a particular section? IOW, for
ARCHIVE_INDEXING_ENABLE and ARCHIVE_INDEXING_DISABLE, is
there some generic value that would instruct most (all?)
indexers to ignore that section? Or does it necessarily
have to be indexer specific?
I'm thinking of the situation where you might have ht://Dig
installed locally, but your archives are still being
spidered by external indexers. It would be good if
something more generic could be added to Defaults.py.in
----------------------------------------------------------------------
Comment By: Barry A. Warsaw (bwarsaw)
Date: 2002-08-08 14:14
Message:
Logged In: YES
user_id=12800
Looking at the 2.1b2 patch, why does it try to create
HyperArch.py.orig and Defaults.py.in.orig? Are those
included in the patch by mistake?
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-08-05 10:08
Message:
Logged In: YES
user_id=75166
indexing-2.0.13-0.2.patch just adds a GPL notice to the patch
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-08-01 16:33
Message:
Logged In: YES
user_id=75166
indexing-2.1b2-0.1.patch is a revised version of the patch
that is compatible with MM 2.1b2
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-07-30 11:23
Message:
Logged In: YES
user_id=75166
indexing-2.0.13-0.1.patch is purely cosmetic to get no
mumble application to MM 2.0.13
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-07-25 14:11
Message:
Logged In: YES
user_id=75166
indexing-2.0.11-0.1.patch should apply without problems to
MM 2.0.12
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-05-23 09:50
Message:
Logged In: YES
user_id=75166
indexing-2.0.11-0.1.patch is a revised version of the patch
that is compatible with MM 2.0.11
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-04-19 10:53
Message:
Logged In: YES
user_id=75166
indexing-2.0.9-0.1.patch should apply without problems to
MM 2.0.10
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-04-08 17:43
Message:
Logged In: YES
user_id=75166
indexing-2.0.9-0.1.patch is a revised version of the patch
that is compatible with MM 2.0.9
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-03-06 16:14
Message:
Logged In: YES
user_id=75166
indexing-2.1cvs-20020306.patch is a revised version of the patch that is compatible with the code
published in mailman CVS on sourceforge as 12:30 GMT 6 Mar 2002.
Corrects problem noted or 5 Mar 2002 by nobody
----------------------------------------------------------------------
Comment By: Nobody/Anonymous (nobody)
Date: 2002-03-05 21:41
Message:
Logged In: NO
When applying this patch I get an error with Hunk 1 and
Defaults.py is not updated. This happens with the a clean
download of the latest cvs installation (5 Mar 2002). Any
ideas what the problem is?
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2001-12-17 16:53
Message:
Logged In: YES
user_id=75166
indexing-2.1cvs-20011217.patch is a revised version of the
patch that is compatible with the code published in mailman
CVS on sourceforge as 11:50 GMT 17 Dec 2001
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2001-12-13 16:48
Message:
Logged In: YES
user_id=75166
indexing-2.1a3-0.1.patch is a revised version of the patch that is compatible with the code published in
mailman-2.1a3.tgz on sourceforge.
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2001-11-28 11:07
Message:
Logged In: YES
user_id=75166
This patch should also apply without problems to MM 2.0.8
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2001-11-27 12:03
Message:
Logged In: YES
user_id=75166
This patch should also apply without problems to MM 2.0.7
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=444879&group_i…
Patches item #444884, was opened at 2001-07-26 18:27
Message generated for change (Comment added) made by ppsys
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=444884&group_i…
Category: Unofficial 2.0 patch
Group: Mailman 2.2 / 3.0
Status: Open
Resolution: None
Priority: 3
Submitted By: Richard Barrett (ppsys)
Assigned to: Barry A. Warsaw (bwarsaw)
Summary: Integration of Mailman & htdig for archi
Initial Comment:
This patch is applicable to Mailman 2.0.6 release that
has had search enhancement patch 444879 patch
installed - if your Defaults.py has the
ARCHIVE_INDEXING_ENABLE and ARCHIVE_INDEXING_DISABLE
in it then you've got that patch.
It replaces earlier patches 401670 and 402423 and is
mainly to correct some problems arising from fixes
introduced into Mailman by bug fix releases since the
402423 patch.
This patch integrates htdig with Mailman and provides:
1. per list search facility with a search form on the
list's TOC page.
2. maintenance of privacy of private archives which
requires the user to establish their credentials via
the normal private archive access before any access
via htdig is allowed.
3. a common base URL for both public and private
archive access via htsearch results so that htdig
indices are unaffected by changingan archive from
private to public and vice versa. All access to
archives via htdig is controlled by a new wrapped cgi-
bin script called htdig.py.
4. a new cron activated script and extra crontab entry
which runs htdig regularly to maintain the per list
search indices.
5. automatic creation, deletion and maintenance of
htdig configuration files and such. Beyond installing
htdig and telling Mailman where it is via mm_cfg you
do not have to do any other setup. Well not quite you
do have to set up a single per installation symlink to
allow htdig to find the automatically generated per
list htdig configuration files.
You probably want to run this patch as follows:
cd <mailman 2.0.6 untarred and unzipped directory>
patch -p1 < <this patch file>
----------------------------------------------------------------------
>Comment By: Richard Barrett (ppsys)
Date: 2004-01-03 09:16
Message:
Logged In: YES
user_id=75166
htdig-2.1.4-0.1.patch is a MM 2.1.4 compatible version of
the patch
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2003-12-15 16:13
Message:
Logged In: YES
user_id=75166
htdig-2.1.3-0.5.patch modifies htdig.py and private.py; the
security changes introduced by htdig-2.1.3-0.2 patch to
these scripts incorrectly blocked access to the
listname.mbox/listname.mbox file. The 0.5 revision of the
patch corrects this error. This problem and a suggested fix
were pointed out to me in a private email by Stephan Berndts
stb-mm at spline.de
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2003-10-22 14:55
Message:
Logged In: YES
user_id=75166
htdig-2.1.3-0.4.patch provides minor improvements in
handling of HTTP request handled by htidg.py which lead to
the user receiving an authentication challenge.
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2003-10-19 21:13
Message:
Logged In: YES
user_id=75166
htdig-2.1.3-0.3.patch.gz add minor private archive security
improvements to the patch for MM 2.1.3
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2003-09-30 20:14
Message:
Logged In: YES
user_id=75166
htdig-2.1.3-0.1.patch is a MM 2.1.3 compatible version of
the patch
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2003-06-06 17:47
Message:
Logged In: YES
user_id=75166
last comment should have read:
htdig-2.1.2-0.4.patch.gz corrects an error in 2 scripts,
mmsearch.py and remote_mmsearch, which caused an
exception if list archives were being accessed via HTTPS and
a search was performed.
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2003-06-06 17:45
Message:
Logged In: YES
user_id=75166
htdig-2.1.2-0.3.patch.gz corrects an error in 2 scripts,
mmsearch.py and remote_mmsearch, which caused an
exception if list archives were being accessed via HTTPS and
a search was performed.
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2003-05-01 19:00
Message:
Logged In: YES
user_id=75166
htdig-2.1.2-0.3.patch.gz adds some minor performance
improvement in template handling in MM 2.1.2
You should consider also applying this bug-fis patch:
[ 730769 ] template access hierarchy is broken
http://sourceforge.net/tracker/index.php?
func=detail&aid=730769&group_id=103&atid=100103
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2003-04-28 15:44
Message:
Logged In: YES
user_id=75166
htdig-2.1.2-0.2.patch.gz corrects error in file uploaded as
htdig-2.1.2-0.1.patch.gz. Sorry for any inconvenience.
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2003-04-28 14:46
Message:
Logged In: YES
user_id=75166
htdig-2.1.2-0.1.patch.gz is a revised version for MM 2.1.2
compatibility.
It also incoporates a previosuly unpublished change to
overcome a potential problem with htdig excluced urls - see
the INSTALL.htdig-mm file for more information
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2003-03-21 18:29
Message:
Logged In: YES
user_id=75166
htdig-2.1.1-0.4.patch.gz fixes a problem with mmsearch
handling multi-page search results from htsearch.
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2003-03-21 17:54
Message:
Logged In: YES
user_id=75166
htdig-2.1.1-0.3.patch.gz fixes a fault when mmsearch.py is
rasing an excpetion because it has had a problem running
htsearch
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2003-03-20 14:10
Message:
Logged In: YES
user_id=75166
htdig-2.1.1-0.2.patch.gz close a security exploit which allows
leakage of information held in htdig's per-list search indexes
to users not authorized to view private list archives.
Read file INSTALL.htdig-mm installed by this patch for details
and instructions for upgrading MM installations using earlier
versions of this patch
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2003-02-10 15:50
Message:
Logged In: YES
user_id=75166
htdig-2.1.1-0.1.patch.gz introduces no functional change but
applies without offset warnings to MM 2.1.1
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2003-02-05 18:12
Message:
Logged In: YES
user_id=75166
It seems it is possible, if this patch is installed, for a list's
htdig conf file and the list specific htdig index db files to be
read directly through the web interface for list archives.
Even if this patch isn't installed it seems a list's pipermail.pck
file can also be read directly through the web interface for list
archives.
This seems to be true for accesses via /pipermail for public
lists and via /mailman/private for private lists.
The problem does not occur for htdig search results
accessed via /mailman/htdig as the htdig.py script is more
protective than private.py
Broadly speaking the data affected is availble to a user in
normal operation which is why I do not consider the issue to
be a security breach as such.
Adding the following RewriteRule to Apache's httpd.conf
prevents the situation, assuming you got the RewriteEngine
On:
RewriteRule ^(/pipermail/.*)/(pipermail.pck|htdig/[^/]*)$
$1/index.html [F]
RewriteRule ^(/mailman/private/.*)/(pipermail.pck|htdig/[^/]*)$
$1/index.htm
l [F]
You could, of course, substitute an R flag for the F flag on the
RewriteRules and be more hacker friendly.
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2003-01-22 14:20
Message:
Logged In: YES
user_id=75166
htdig-2.1-0.3.patch corrects yet another bug in htdig.py. Hope
that all of them!
Stops use of obsolete config variable DEFAULT_HOST in
several files.
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2003-01-15 20:18
Message:
Logged In: YES
user_id=75166
htdig-2.1-0.2.patch corrects a bug in htdig.py and deals with
an adverse interaction between htdig.py and a bug in
$prefix/scripts/driver (see #668685 for a patch to fix this).
It also improves the content type and security handling by
htdig.py for MM 2.1 version of patch
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2003-01-15 20:14
Message:
Logged In: YES
user_id=75166
Uploaded wrong file mailer-2.0.13-0.4.patch on last attempt.
Should have been htdig-2.0.13-0.4.patch which improves the
content type and security handling by htdig.py for MM 2.0.13
version of patch.
Please ignore mailer-2.0.13-0.4.patch file
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2003-01-15 20:09
Message:
Logged In: YES
user_id=75166
mailer-2.0.13-0.4.patch improves the content type and
security handling by htdig.py for MM 2.0.13 version of patch
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2003-01-02 16:07
Message:
Logged In: YES
user_id=75166
htdig-2.1-0.1.patch is a revised version of the patch that is
compatible with MM 2.1
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-12-11 11:48
Message:
Logged In: YES
user_id=75166
htdig-2.1b6-0.1.patch is a revised version of the patch that is
compatible with MM 2.1b6
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-12-04 10:53
Message:
Logged In: YES
user_id=75166
htdig-2.0.13-0.3.patch corrects a minor typo in text appearing
in the list TOC after the patch is applied.
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-11-27 10:24
Message:
Logged In: YES
user_id=75166
htdig-2.1b5-0.1.patch is a revised version of the patch that is
compatible with MM 2.1b5
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-10-30 11:43
Message:
Logged In: YES
user_id=75166
htdig-2.1b4-0.1.patch is a revised version of the patch that is
compatible with MM 2.1b4
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-10-14 11:50
Message:
Logged In: YES
user_id=75166
htdig-2.1b3-0.3.patch removes use of the file() function, used
instead of the open() function, in three cron scripts added by
the patch. Use of the file() function created an unnecessary
dependency on Python 2.2
----------------------------------------------------------------------
Comment By: Colin Mackinlay (cmackinlay)
Date: 2002-10-12 16:51
Message:
Logged In: YES
user_id=624179
Got a workaround!
The line referred to in the traceback:
file(rundig_run_file, 'w').close()
is used to create a 'rundig_last_run' file of lenght 0 bytes
Creating this manually (or copying it) means the line isn't
called and everything seems to work.
Either file() is not a valid function call or my python is broken -
I'm not literate enough in python to know the answer though!
----------------------------------------------------------------------
Comment By: Colin Mackinlay (cmackinlay)
Date: 2002-10-06 14:18
Message:
Logged In: YES
user_id=624179
Just rebuilt MM as 2.1b3 with htdig.
Upgraded lists which had htdig before work fine
New lists give the obvious error:
Unable to read word database file
Did you run htmerge?
Running the cronjob doesn't fix as it used to, message is:
Output from command /usr/bin/python -
S /usr/local/mailman/cron/nightly_htdig ..
Traceback (most recent call last):
File "/usr/local/mailman/cron/nightly_htdig", line 153, in ?
main()
File "/usr/local/mailman/cron/nightly_htdig", line 118, in main
file(rundig_run_file, 'w').close()
NameError: global name 'file' is not defined
The archive/htdig folder only contains the xx.conf file, but no
db.xx files
If I copy in db.xx files from another list then the problem goes
away (except I've now got an invalid set of references!)
Is this my elementary error or is it more sinister?!
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-08-15 11:02
Message:
Logged In: YES
user_id=75166
htdig-2.1b3-0.2.patch corrects a dumb syntax error in htdig-
2.1b3-0.1.patch which will typically show up as logged errors
in the operation of the ArchRunner qrunner at line 721 of
HyperArch.py
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-08-14 16:51
Message:
Logged In: YES
user_id=75166
htdig-2.1b3-0.1.patch is a revised version of the patch that is
compatible with MM 2.1b3
----------------------------------------------------------------------
Comment By: Barry A. Warsaw (bwarsaw)
Date: 2002-08-08 16:33
Message:
Logged In: YES
user_id=12800
I've sent Richard some comments off-line about this patch.
Meta comments: the 2.0.x patches can't be officially
supported, but I'm going to create an unofficial patches
page off the wiki for where the 2.0 patches can be migrated.
I think this patch set is too big for MM2.1, but if it's
cleaned up as per my private message, let's re-evaluate it
for MM2.2 (or 3.0).
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-08-05 10:11
Message:
Logged In: YES
user_id=75166
htdig-2.0.13-0.2.patch just adds a GPL notice to the patch
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-08-01 16:35
Message:
Logged In: YES
user_id=75166
htdig-2.1b2-0.1.patch is a revised version of the patch
that is compatible with MM 2.1b2
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-07-30 11:25
Message:
Logged In: YES
user_id=75166
htdig-2.0.13-0.1.patch is purely cosmetic to get no mumble
application to MM 2.0.13
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-07-25 15:07
Message:
Logged In: YES
user_id=75166
Do not use htdig-2.0.12-0.1.patch there is an error in it.
Use htdig-2.0.12-0.2.patch instead
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-07-25 14:10
Message:
Logged In: YES
user_id=75166
htdig-2.0.12-0.1.patch is a revised version of the patch that
applies without complaint to MM 2.0.12.
It also add a facility for adding site wide htdig configuration
attributes to all list specific htdig configuration files.
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-05-23 09:59
Message:
Logged In: YES
user_id=75166
htdig-2.0.11-0.1.patch is a revised version of the patch that
is compatible with MM 2.0.11
This version removes an incompatibility with Python 2.2
which caused warning messages to be generated when any
of the family cron/nightly_htdig scripts were run.
Some guidance on file access permissions for some htdig
database files needed by rundig have been added to
installation notes.
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-04-19 10:59
Message:
Logged In: YES
user_id=75166
htdig-2.0.10-0.1.patch is a revised version of the patch
that is compatible with MM 2.0.10
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-04-08 17:46
Message:
Logged In: YES
user_id=75166
htdig-2.0.9-0.1.patch is a revised version of the patch
that is compatible with MM 2.0.9
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2002-03-06 16:22
Message:
Logged In: YES
user_id=75166
htdig-2.1cvs-20020306.patch is a revised version of the patch that is compatible with the code published in
mailman CVS on sourceforge as 12:30 GMT 6 Mar 2002
Known deficiency is that the non-English versions of files under $build/templates still contain text in English
and need translations I cannot do. Also the necessary pygettext activity and subsequent translations in
files under $build/messages remain to be done.
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2001-12-17 16:56
Message:
Logged In: YES
user_id=75166
htdig-2.1cvs-20011217.patch is a revised version of the
patch that is compatible with the code published in mailman
CVS on sourceforge as 11:50 GMT 17 Dec 2001
The only known deficiency is that the non-English versions
of files under $build/templates still contain text in
English and need translations I cannot do. Also the
necessary pygettext activity and subsequent translations in
files under $build/messages remain to be done.
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2001-12-13 16:58
Message:
Logged In: YES
user_id=75166
htdig-2.1a3-0.1.patch is a revised version of the patch that is compatible with the code published in
mailman-2.1a3.tgz on sourceforge.
The only known deficiency is that the non-English versions of files under $build/templates still contain text
in English and need translations I cannot do. Also the necessary pygettext activity and subsequent
translations in files under $build/messages remain to be done.
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2001-11-28 17:33
Message:
Logged In: YES
user_id=75166
The htdig-2.0.8-0.1.patch version of the patch resolves a problem that can arise with htdig indexing if the
web_page_url for a list uses other than the http addressing (some folks want to use https). While specified
as for MM 2.0.8 the revised patch should work OK with 2.0.7, 2.0.6 and probably back as far as 2.0.3. If
you do not have the requirement for using other than http addressing in you lists web_page_urls it probably
isn't worth the trouble of upgrading to this patch level.
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2001-11-28 11:08
Message:
Logged In: YES
user_id=75166
This patch should also apply without problems to MM 2.0.8
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2001-11-27 12:00
Message:
Logged In: YES
user_id=75166
This patch should also apply without problems to Mm 2.0.7
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2001-11-09 11:54
Message:
Logged In: YES
user_id=75166
The htdig-2.0.6-03.patch version of the patch makes some
previously hard-coded things configurable and enhances the
capability to run the htdig searches and indexing on a
different machine to the one delivering Mailman and
Mailman's web UI.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=444884&group_i…
Patches item #869644, was opened at 2004-01-02 18:45
Message generated for change (Comment added) made by bwarsaw
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=869644&group_i…
Category: Web UI
Group: Mailman 2.1
>Status: Closed
>Resolution: Accepted
Priority: 5
Submitted By: Stephan Berndts (berndts)
Assigned to: Barry A. Warsaw (bwarsaw)
Summary: Fix: Error accessing priv. roster/arch w/ non-member address
Initial Comment:
Mailman 2.1.4 is producing a bug if one tries to login to a private
roster or archive with an email address which is not a member of
the respective mailing list.
This patch solves the problem.
----------------------------------------------------------------------
>Comment By: Barry A. Warsaw (bwarsaw)
Date: 2004-01-02 20:15
Message:
Logged In: YES
user_id=12800
Someone I downloaded an older SecurityManager.py.patch. I
grabbed it again and now see what you're talking about.
Here's one way the bug can be manifest: if you were a member
when you logged in to read the archives, but got
subsequently removed before your cookie expired (i.e. your
browser exited). Is there another way this crash can happen?
----------------------------------------------------------------------
Comment By: Stephan Berndts (berndts)
Date: 2004-01-02 19:09
Message:
Logged In: YES
user_id=129854
That's a completely different position in the file!? I am in function
__checkone, not in Authenticate.
Your comment does not match my patch :)
----------------------------------------------------------------------
Comment By: Barry A. Warsaw (bwarsaw)
Date: 2004-01-02 19:02
Message:
Logged In: YES
user_id=12800
Are you sure you're looking at version 2.20.2.2 of
SecurityManager.py? Here's what the AuthUser clause looks like:
elif ac == mm_cfg.AuthUser:
if user is not None:
try:
if self.authenticateMember(user,
response):
return ac
except Errors.NotAMemberError:
pass
This doesn't match patch the patch, so I'm wondering if your
files are out of date?
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=869644&group_i…
Bugs item #869647, was opened at 2004-01-02 18:48
Message generated for change (Settings changed) made by bwarsaw
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=869647&group_i…
Category: Web/CGI
Group: 2.1 (stable)
>Status: Closed
>Resolution: Fixed
Priority: 5
Submitted By: Stephan Berndts (berndts)
Assigned to: Barry A. Warsaw (bwarsaw)
Summary: Error when accessing priv. roster/arch w/ non-member address
Initial Comment:
Barry removed to much code while trying to correct bug #864676. :
(
So Mailman 2.1.4 is producing a bug if one tries to login to a private
roster or archive with an email address which is not a member of
the respective mailing list.
One possible solution is patch #869644.
----------------------------------------------------------------------
Comment By: Barry A. Warsaw (bwarsaw)
Date: 2004-01-02 19:03
Message:
Logged In: YES
user_id=12800
Please see the comment in patch 869644.
BTW, it's fine if you have a patch that specifically fixes a
bug, to attach the patch to the bug report directly.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=869647&group_i…
Patches item #869644, was opened at 2004-01-03 00:45
Message generated for change (Comment added) made by berndts
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=869644&group_i…
Category: Web UI
Group: Mailman 2.1
Status: Open
Resolution: None
Priority: 5
Submitted By: Stephan Berndts (berndts)
Assigned to: Barry A. Warsaw (bwarsaw)
Summary: Fix: Error accessing priv. roster/arch w/ non-member address
Initial Comment:
Mailman 2.1.4 is producing a bug if one tries to login to a private
roster or archive with an email address which is not a member of
the respective mailing list.
This patch solves the problem.
----------------------------------------------------------------------
>Comment By: Stephan Berndts (berndts)
Date: 2004-01-03 01:09
Message:
Logged In: YES
user_id=129854
That's a completely different position in the file!? I am in function
__checkone, not in Authenticate.
Your comment does not match my patch :)
----------------------------------------------------------------------
Comment By: Barry A. Warsaw (bwarsaw)
Date: 2004-01-03 01:02
Message:
Logged In: YES
user_id=12800
Are you sure you're looking at version 2.20.2.2 of
SecurityManager.py? Here's what the AuthUser clause looks like:
elif ac == mm_cfg.AuthUser:
if user is not None:
try:
if self.authenticateMember(user,
response):
return ac
except Errors.NotAMemberError:
pass
This doesn't match patch the patch, so I'm wondering if your
files are out of date?
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=869644&group_i…
Bugs item #869647, was opened at 2004-01-02 18:48
Message generated for change (Comment added) made by bwarsaw
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=869647&group_i…
Category: Web/CGI
Group: 2.1 (stable)
Status: Open
Resolution: None
Priority: 5
Submitted By: Stephan Berndts (berndts)
Assigned to: Barry A. Warsaw (bwarsaw)
Summary: Error when accessing priv. roster/arch w/ non-member address
Initial Comment:
Barry removed to much code while trying to correct bug #864676. :
(
So Mailman 2.1.4 is producing a bug if one tries to login to a private
roster or archive with an email address which is not a member of
the respective mailing list.
One possible solution is patch #869644.
----------------------------------------------------------------------
>Comment By: Barry A. Warsaw (bwarsaw)
Date: 2004-01-02 19:03
Message:
Logged In: YES
user_id=12800
Please see the comment in patch 869644.
BTW, it's fine if you have a patch that specifically fixes a
bug, to attach the patch to the bug report directly.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=869647&group_i…
Patches item #869644, was opened at 2004-01-02 18:45
Message generated for change (Comment added) made by bwarsaw
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=869644&group_i…
Category: Web UI
Group: Mailman 2.1
Status: Open
Resolution: None
Priority: 5
Submitted By: Stephan Berndts (berndts)
Assigned to: Barry A. Warsaw (bwarsaw)
Summary: Fix: Error accessing priv. roster/arch w/ non-member address
Initial Comment:
Mailman 2.1.4 is producing a bug if one tries to login to a private
roster or archive with an email address which is not a member of
the respective mailing list.
This patch solves the problem.
----------------------------------------------------------------------
>Comment By: Barry A. Warsaw (bwarsaw)
Date: 2004-01-02 19:02
Message:
Logged In: YES
user_id=12800
Are you sure you're looking at version 2.20.2.2 of
SecurityManager.py? Here's what the AuthUser clause looks like:
elif ac == mm_cfg.AuthUser:
if user is not None:
try:
if self.authenticateMember(user,
response):
return ac
except Errors.NotAMemberError:
pass
This doesn't match patch the patch, so I'm wondering if your
files are out of date?
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=869644&group_i…