Public bug reported:
DELIVERY_RETRY_WAIT is supposed to set the delay between retries of SMTP
temp failures, but it currently has no effect.
** Affects: mailman
Importance: Low
Assignee: Mark Sapiro (msapiro)
Status: In Progress
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1729472
Title:
The DELIVERY_RETRY_WAIT setting is ignored
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1729472/+subscriptions
Public bug reported:
When there are several regexps in header_filter_rules with Hold action
it is helpful to know exactly which regexp matched.
** Affects: mailman
Importance: Medium
Assignee: Mark Sapiro (msapiro)
Status: Fix Committed
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1737371
Title:
Show which header_filter_rules regexp matched in the hold reason.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1737371/+subscriptions
*** This bug is a security vulnerability ***
Private security bug reported:
CVE-2018-5950
A crafted URL for a user options page can cause a browser to execute
arbitrary script encoded in the URL.
Also, in developing a fix for this issue it was discovered that a user
options URL with a VARHELP query fragment would display the user options
page without requiring login. No changes could be made and the settings
revealed are not particularly sensitive, but this could be used to fish
for membership on a list with a private roster.
Thanks to Calum Hutton for the original report.
** Affects: mailman
Importance: High
Assignee: Mark Sapiro (msapiro)
Status: In Progress
** Patch added: "Patch to fix this issue"
https://bugs.launchpad.net/bugs/1747209/+attachment/5048344/+files/options.…
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-5950
** Description changed:
CVE-2018-5950
A crafted URL for a user options page can cause a browser to execute
arbitrary script encoded in the URL.
Also, in developing a fix for this issue it was discovered that a user
options URL with a VARHELP query fragment would display the user options
page without requiring login. No changes could be made and the settings
revealed are not particularly sensitive, but this could be used to fish
for membership on a list with a private roster.
+
+ Thanks to Calum Hutton for the original report.
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1747209
Title:
XSS vulnerability and information leak in user options CGI
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1747209/+subscriptions
Public bug reported:
The fix for lp:1696066 assumes that the Postfix aliases and virtual-
mailman mappings are hash tables with .db extension. If they are, e.g.,
cdb tables with .cdb extension, the attempt to stat the .db file throws
OSError.
Since there are various possibilities for the table format and
extension, and since all the documentation of Mailman-Postfix
integration refers only to hash tables, we'll just catch the error and
ignore the file.
** Affects: mailman
Importance: Low
Assignee: Mark Sapiro (msapiro)
Status: In Progress
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1734162
Title:
OSError in Mailman/MTA/Postfix.py when updating maps.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1734162/+subscriptions
Public bug reported:
While we have been strongly recommending Python 2.7 for some time, it
has not been listed as a requirement. Mailman 2.1.22 introduced a call
to re.sub() with a flags= argument that requires Python 2.7. The code in
question will only be executed when archiving a message with no Date:
header containing a valid date and no X-List-Received-At: header
containing a valid date which will almost certainly only occur when
bin/arch is processing a mbox containing such a message, so this is of
minor importance, but is easily fixed so I'll fix it.
** Affects: mailman
Importance: Low
Assignee: Mark Sapiro (msapiro)
Status: In Progress
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1740543
Title:
Mailman 2.1.22+ requires Python 2.7
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1740543/+subscriptions
Public bug reported:
Mailman 2.1.25's login based pages (private archives, admin page, etc.) don't work with uwsgi (uwsgi times out printing a "invalid CGI response !!!" error).
Downgrading to 2.1.24 fixes this issue (I can again log in and uwsgi doesn't reply with the "invalid CGI response !!!" message).
I'm on Arch Linux trying to use mailman 2.1.25 with uwsgi 2.0.15 through nginx 1.12.2.
I've also opened a downstream bug there [1].
For completeness I will attach the same log files as in the aforementioned bug report.
The uwsgi configuration in use for mailman is pretty straight forward:
``
[uwsgi]
procname-master = mailman
master = true
plugins = cgi
socket = /run/uwsgi/%n.sock
stats = /run/uwsgi/%n-stats.sock
processes = 1
threads = 2
cheaper-step = 1
idle = 120
die-on-idle = true
uid = http
gid = http
cgi = /=/usr/lib/mailman/cgi-bin
cgi-index = listinfo
``
Nginx fronts the application server and redirects to a unix socket,
which in turn starts a systemd service. More info on the setup can be
found on my website [2].
``
[Unit]
Description=uWSGI service unit
After=syslog.target
[Service]
ExecStart=/usr/bin/uwsgi --ini /etc/uwsgi/%I.ini
Type=notify
SuccessExitStatus=15 17 29 30
StandardError=syslog
NotifyAccess=all
KillSignal=SIGQUIT
PrivateDevices=yes
PrivateTmp=yes
ProtectSystem=full
ReadWriteDirectories=/etc/webapps
ProtectHome=yes
[Install]
WantedBy=multi-user.target
``
``
[Unit]
Description=Socket for uWSGI %I
[Socket]
ListenStream=/run/uwsgi/%I.sock
[Install]
WantedBy=sockets.target
``
[1] https://bugs.archlinux.org/task/56865
[2] https://sleepmap.de/2016/securely-serving-webapps-using-uwsgi/
** Affects: mailman
Importance: Undecided
Status: New
** Tags: nginx uwsgi
** Attachment added: "uwsgi log for mailman"
https://bugs.launchpad.net/bugs/1744739/+attachment/5041051/+files/uwsgi-ma…
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1744739
Title:
2.1.25 login based pages not working with uwsgi
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1744739/+subscriptions