Public bug reported:
When a message contains an invalud unicode sequence in its header,
qrunner flat out crashes on that:
May 17 15:32:20 2015 (981) Uncaught runner exception: 'utf8' codec can't decode byte
0xe9 in position 18: invalid continuation byte
May 17 15:32:20 2015 (981) Traceback (most recent call last):
File "/var/lib/mailman/Mailman/Queue/Runner.py", line 119, in _oneloop
self._onefile(msg, msgdata)
File "/var/lib/mailman/Mailman/Queue/Runner.py", line 190, in _onefile
keepqueued = self._dispose(mlist, msg, msgdata)
File "/var/lib/mailman/Mailman/Queue/IncomingRunner.py", line 130, in _dispose
more = self._dopipeline(mlist, msg, msgdata, pipeline)
File "/var/lib/mailman/Mailman/Queue/IncomingRunner.py", line 153, in _dopipeline
sys.modules[modname].process(mlist, msg, msgdata)
File "/var/lib/mailman/Mailman/Handlers/CookHeaders.py", line 239, in process
i18ndesc = uheader(mlist, mlist.description, 'List-Id', maxlinelen=998)
File "/var/lib/mailman/Mailman/Handlers/CookHeaders.py", line 65, in uheader
return Header(s, charset, maxlinelen, header_name, continuation_ws)
File "/usr/lib/python2.7/email/header.py", line 183, in __init__
self.append(s, charset, errors)
File "/usr/lib/python2.7/email/header.py", line 267, in append
ustr = unicode(s, incodec, errors)
UnicodeDecodeError: 'utf8' codec can't decode byte 0xe9 in position 18: invalid
continuation byte
May 17 15:32:20 2015 (981) SHUNTING:
1431869540.389822+156779307d54473d0eb732994bb67eee95733285
A solution for this specific case is to have Mailman/Handlers/CookHeaders.py pass the erorrs='replace' parameter.
I would say that this is actually a bug in python-email, since I think it doesn't make sense to set errors to "strict" rather than something like "replace" when the intention is to parse stuff so free-formed, under-specd
and user-controlled as email. Nonetheless, Mailman already sets errors='replace' in some places so it might aswell add it here.
** Affects: mailman
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1462755
Title:
qrunner crashes on invalid unicode sequence
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1462755/+subscriptions
Public bug reported:
We need a script, documentation, or other procedure to help people
migrate from Mailman 2 to Mailman 3.
** Affects: mailman
Importance: Undecided
Status: New
** Tags: mailman3
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/965532
Title:
Need a script to upgrade from MM2 to MM3
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/965532/+subscriptions
Public bug reported:
dnspython >=2.0 requires Python >=3.6 and won't work with Mailman 2.1.
./configure should check for dnspython <2.0 and mention this requirement
of not found.
** Affects: mailman
Importance: Medium
Assignee: Mark Sapiro (msapiro)
Status: New
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1895451
Title:
Mailman 2.1 does not support dnspython >=2.0
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1895451/+subscriptions
Public bug reported:
Mailman 3 is essentially five projects:
Mailman Core
Postorius - The Web UI for Mailman
Mailman Client - The REST API Client
HyperKitty - The Archiver for Mailman
Mailman Bundler - Installer for Mailman Suite including all above projects
URL: https://www.gnu.org/software/mailman/
** Affects: mailman
Importance: Undecided
Status: New
** Affects: ubuntu
Importance: Undecided
Status: New
** Affects: debian
Importance: Unknown
Status: Unknown
** Tags: needs-packaging
** Bug watch added: Debian Bug tracker #799292
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799292
** Also affects: debian via
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799292
Importance: Unknown
Status: Unknown
** Also affects: mailman
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1609516
Title:
[needs-packaging] GNU Mailman v3
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1609516/+subscriptions
*** This bug is a security vulnerability ***
Private security bug reported:
A URL with a very long text listname such as
https://homewalkers.net/mailman/roster/This_is_a_long_string_with_some_phis…
will echo the text in the "No such list" error response. This can be used to make a potential victim think the phishing text comes from a trusted site.
This issue was discovered by Abderrahmane Sahnoun <x.virusdz0(a)gmail.com>.
same as CVE-2018-13796
** Affects: mailman
Importance: Undecided
Assignee: Abderrahmane Sahnoun (xvirusdz)
Status: New
** Changed in: mailman
Assignee: (unassigned) => Abderrahmane Sahnoun (xvirusdz)
** Description changed:
hi team,
im Abderrahmane Sahnoun Algerian Security Researcher when i was exploring your website i have found a bug witch done the possibility to A crafted URL can cause arbitrary text to be displayed on a web page from a trusted site in GNU Mailman 2.1.33.
it's the same like CVE-2018-13796
here a example of it:
- https://homewalkers.net/mailman/roster/wassim
+ https://homewalkers.net/mailman/roster/type_any_thing_here
I await your reply at the earliest time
Sincerely;
** Description changed:
- hi team,
- im Abderrahmane Sahnoun Algerian Security Researcher when i was exploring your website i have found a bug witch done the possibility to A crafted URL can cause arbitrary text to be displayed on a web page from a trusted site in GNU Mailman 2.1.33.
- it's the same like CVE-2018-13796
- here a example of it:
- https://homewalkers.net/mailman/roster/type_any_thing_here
- I await your reply at the earliest time
- Sincerely;
+ A URL with a very long text listname such as
+ https://homewalkers.net/mailman/roster/This_is_a_long_string_with_some_phis…
+ will echo the text in the "No such list" error response. This can be used to make a potential victim think the phishing text comes from a trusted site.
+
+ This issue was discovered by Abderrahmane Sahnoun
+ <x.virusdz0(a)gmail.com>.
** Changed in: mailman
Assignee: Abderrahmane Sahnoun (xvirusdz) => (unassigned)
** Description changed:
A URL with a very long text listname such as
https://homewalkers.net/mailman/roster/This_is_a_long_string_with_some_phis…
will echo the text in the "No such list" error response. This can be used to make a potential victim think the phishing text comes from a trusted site.
- This issue was discovered by Abderrahmane Sahnoun
- <x.virusdz0(a)gmail.com>.
+ This issue was discovered by Abderrahmane Sahnoun <x.virusdz0(a)gmail.com>.
+ same as CVE-2018-13796
** Changed in: mailman
Assignee: (unassigned) => Abderrahmane Sahnoun (xvirusdz)
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1913241
Title:
A crafted URL can cause arbitrary text to be displayed on a web page
from a trusted site.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1913241/+subscriptions