Mailman 3 February 2018 - Mailman-coders

[Merge] lp:~futatuki/mailman/2.1-add-smtp-timeout into lp:mailman/2.1
by Yasuhito FUTATSUKI＠POEM Feb. 9, 2018

Feb. 9, 2018

Yasuhito FUTATSUKI at POEM has proposed merging lp:~futatuki/mailman/2.1-add-smtp-timeout into lp:mailman/2.1. Requested reviews: Mailman Coders (mailman-coders) For more details, see: https://code.launchpad.net/~futatuki/mailman/2.1-add-smtp-timeout/+merge/33… This add a feature to specify timeout for SMTP response to avoid waiting response forever, to SMTPDirect Handler. To specify timeout, set SMTP_TIMEOUT in mm_cfg.py. By default, this is disabled(waiting response until respond the MTA). To test this feature, set mm_cfg.SMTP_TIMEOUT to small value and setup MTA to wait responding (by using greet pause feature, etc) and run smtp test or post message to mailing list to deliver it. -- Your team Mailman Coders is requested to review the proposed merge of lp:~futatuki/mailman/2.1-add-smtp-timeout into lp:mailman/2.1.

2 2

[Bug 1729472] [NEW] The DELIVERY_RETRY_WAIT setting is ignored
by Mark Sapiro Feb. 4, 2018

Feb. 4, 2018

Public bug reported: DELIVERY_RETRY_WAIT is supposed to set the delay between retries of SMTP temp failures, but it currently has no effect. ** Affects: mailman Importance: Low Assignee: Mark Sapiro (msapiro) Status: In Progress -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1729472 Title: The DELIVERY_RETRY_WAIT setting is ignored To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1729472/+subscriptions

2 3

[Bug 1746189] [NEW] wrong usage of _() in Mailman/Cgi/subscribe.py
by Yasuhito FUTATSUKI＠POEM Feb. 4, 2018

Feb. 4, 2018

Public bug reported: When I rebuild mailman.pot on lp:mailman/2.1 rev 1739, I found msgid added on rev 1738 are corrupted. This is caused by wrong _() usage. ** Affects: mailman Importance: Undecided Status: New ** Patch added: "subscribe.py.diff" https://bugs.launchpad.net/bugs/1746189/+attachment/5045430/+files/subscrib… -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1746189 Title: wrong usage of _() in Mailman/Cgi/subscribe.py To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1746189/+subscriptions

2 3

[Bug 1737371] [NEW] Show which header_filter_rules regexp matched in the hold reason.
by Mark Sapiro Feb. 4, 2018

Feb. 4, 2018

Public bug reported: When there are several regexps in header_filter_rules with Hold action it is helpful to know exactly which regexp matched. ** Affects: mailman Importance: Medium Assignee: Mark Sapiro (msapiro) Status: Fix Committed -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1737371 Title: Show which header_filter_rules regexp matched in the hold reason. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1737371/+subscriptions

2 3

[Bug 1747209] [NEW] XSS vulnerability and information leak in user options CGI
by Mark Sapiro Feb. 4, 2018

Feb. 4, 2018

*** This bug is a security vulnerability *** Private security bug reported: CVE-2018-5950 A crafted URL for a user options page can cause a browser to execute arbitrary script encoded in the URL. Also, in developing a fix for this issue it was discovered that a user options URL with a VARHELP query fragment would display the user options page without requiring login. No changes could be made and the settings revealed are not particularly sensitive, but this could be used to fish for membership on a list with a private roster. Thanks to Calum Hutton for the original report. ** Affects: mailman Importance: High Assignee: Mark Sapiro (msapiro) Status: In Progress ** Patch added: "Patch to fix this issue" https://bugs.launchpad.net/bugs/1747209/+attachment/5048344/+files/options.… ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-5950 ** Description changed: CVE-2018-5950 A crafted URL for a user options page can cause a browser to execute arbitrary script encoded in the URL. Also, in developing a fix for this issue it was discovered that a user options URL with a VARHELP query fragment would display the user options page without requiring login. No changes could be made and the settings revealed are not particularly sensitive, but this could be used to fish for membership on a list with a private roster. + + Thanks to Calum Hutton for the original report. -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1747209 Title: XSS vulnerability and information leak in user options CGI To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1747209/+subscriptions

2 3

[Bug 1734162] [NEW] OSError in Mailman/MTA/Postfix.py when updating maps.
by Mark Sapiro Feb. 4, 2018

Feb. 4, 2018

Public bug reported: The fix for lp:1696066 assumes that the Postfix aliases and virtual- mailman mappings are hash tables with .db extension. If they are, e.g., cdb tables with .cdb extension, the attempt to stat the .db file throws OSError. Since there are various possibilities for the table format and extension, and since all the documentation of Mailman-Postfix integration refers only to hash tables, we'll just catch the error and ignore the file. ** Affects: mailman Importance: Low Assignee: Mark Sapiro (msapiro) Status: In Progress -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1734162 Title: OSError in Mailman/MTA/Postfix.py when updating maps. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1734162/+subscriptions

2 3

[Bug 1740543] [NEW] Mailman 2.1.22+ requires Python 2.7
by Mark Sapiro Feb. 4, 2018

Feb. 4, 2018

Public bug reported: While we have been strongly recommending Python 2.7 for some time, it has not been listed as a requirement. Mailman 2.1.22 introduced a call to re.sub() with a flags= argument that requires Python 2.7. The code in question will only be executed when archiving a message with no Date: header containing a valid date and no X-List-Received-At: header containing a valid date which will almost certainly only occur when bin/arch is processing a mbox containing such a message, so this is of minor importance, but is easily fixed so I'll fix it. ** Affects: mailman Importance: Low Assignee: Mark Sapiro (msapiro) Status: In Progress -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1740543 Title: Mailman 2.1.22+ requires Python 2.7 To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1740543/+subscriptions

2 3

[Bug 1744739] [NEW] 2.1.25 login based pages not working with uwsgi
by David Runge Feb. 4, 2018

Feb. 4, 2018

Public bug reported: Mailman 2.1.25's login based pages (private archives, admin page, etc.) don't work with uwsgi (uwsgi times out printing a "invalid CGI response !!!" error). Downgrading to 2.1.24 fixes this issue (I can again log in and uwsgi doesn't reply with the "invalid CGI response !!!" message). I'm on Arch Linux trying to use mailman 2.1.25 with uwsgi 2.0.15 through nginx 1.12.2. I've also opened a downstream bug there [1]. For completeness I will attach the same log files as in the aforementioned bug report. The uwsgi configuration in use for mailman is pretty straight forward: `` [uwsgi] procname-master = mailman master = true plugins = cgi socket = /run/uwsgi/%n.sock stats = /run/uwsgi/%n-stats.sock processes = 1 threads = 2 cheaper-step = 1 idle = 120 die-on-idle = true uid = http gid = http cgi = /=/usr/lib/mailman/cgi-bin cgi-index = listinfo `` Nginx fronts the application server and redirects to a unix socket, which in turn starts a systemd service. More info on the setup can be found on my website [2]. `` [Unit] Description=uWSGI service unit After=syslog.target [Service] ExecStart=/usr/bin/uwsgi --ini /etc/uwsgi/%I.ini Type=notify SuccessExitStatus=15 17 29 30 StandardError=syslog NotifyAccess=all KillSignal=SIGQUIT PrivateDevices=yes PrivateTmp=yes ProtectSystem=full ReadWriteDirectories=/etc/webapps ProtectHome=yes [Install] WantedBy=multi-user.target `` `` [Unit] Description=Socket for uWSGI %I [Socket] ListenStream=/run/uwsgi/%I.sock [Install] WantedBy=sockets.target `` [1] https://bugs.archlinux.org/task/56865 [2] https://sleepmap.de/2016/securely-serving-webapps-using-uwsgi/ ** Affects: mailman Importance: Undecided Status: New ** Tags: nginx uwsgi ** Attachment added: "uwsgi log for mailman" https://bugs.launchpad.net/bugs/1744739/+attachment/5041051/+files/uwsgi-ma… -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1744739 Title: 2.1.25 login based pages not working with uwsgi To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1744739/+subscriptions

3 10