Mailman-coders November 2021

mailman-coders@python.org

7 participants
9 discussions

[Bug 1462755] [NEW] qrunner crashes on invalid unicode sequence
by Thijs Kinkhorst 28 Feb '22

28 Feb '22

Public bug reported: When a message contains an invalud unicode sequence in its header, qrunner flat out crashes on that: May 17 15:32:20 2015 (981) Uncaught runner exception: 'utf8' codec can't decode byte 0xe9 in position 18: invalid continuation byte May 17 15:32:20 2015 (981) Traceback (most recent call last): File "/var/lib/mailman/Mailman/Queue/Runner.py", line 119, in _oneloop self._onefile(msg, msgdata) File "/var/lib/mailman/Mailman/Queue/Runner.py", line 190, in _onefile keepqueued = self._dispose(mlist, msg, msgdata) File "/var/lib/mailman/Mailman/Queue/IncomingRunner.py", line 130, in _dispose more = self._dopipeline(mlist, msg, msgdata, pipeline) File "/var/lib/mailman/Mailman/Queue/IncomingRunner.py", line 153, in _dopipeline sys.modules[modname].process(mlist, msg, msgdata) File "/var/lib/mailman/Mailman/Handlers/CookHeaders.py", line 239, in process i18ndesc = uheader(mlist, mlist.description, 'List-Id', maxlinelen=998) File "/var/lib/mailman/Mailman/Handlers/CookHeaders.py", line 65, in uheader return Header(s, charset, maxlinelen, header_name, continuation_ws) File "/usr/lib/python2.7/email/header.py", line 183, in __init__ self.append(s, charset, errors) File "/usr/lib/python2.7/email/header.py", line 267, in append ustr = unicode(s, incodec, errors) UnicodeDecodeError: 'utf8' codec can't decode byte 0xe9 in position 18: invalid continuation byte May 17 15:32:20 2015 (981) SHUNTING: 1431869540.389822+156779307d54473d0eb732994bb67eee95733285 A solution for this specific case is to have Mailman/Handlers/CookHeaders.py pass the erorrs='replace' parameter. I would say that this is actually a bug in python-email, since I think it doesn't make sense to set errors to "strict" rather than something like "replace" when the intention is to parse stuff so free-formed, under-specd and user-controlled as email. Nonetheless, Mailman already sets errors='replace' in some places so it might aswell add it here. ** Affects: mailman Importance: Undecided Status: New -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1462755 Title: qrunner crashes on invalid unicode sequence To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1462755/+subscriptions

6 12

[Bug 965532] [NEW] Need a script to upgrade from MM2 to MM3
by Barry Warsaw 13 Dec '21

13 Dec '21

Public bug reported: We need a script, documentation, or other procedure to help people migrate from Mailman 2 to Mailman 3. ** Affects: mailman Importance: Undecided Status: New ** Tags: mailman3 -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/965532 Title: Need a script to upgrade from MM2 to MM3 To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/965532/+subscriptions

8 21

[Bug 1952755] [NEW] Permissions checks should be case-insensitive against login email
by Loïc Gomez 03 Dec '21

03 Dec '21

Public bug reported: Hi, One of our users complained being rejected with 403 Unauthorized when moderating a list he's an owner of. We're using Ubuntu SSO for login purposes, and we noticed they had an uppercase letter in their email in both account_emailaddress and auth_user tables. We asked them to add the lowercase version of their email and remove the other one, but mailman complained email address is already attached to their account. We then did some db surgery, updating their email to the lowercase version in both tables, and it resolved their issue. Authentication should probably do a case-insensitive check of login email against auth database. We're using mailman version: 3.1.1-9 Ubuntu package On a sidenote: email address was in both account_emailaddress and auth_user, auth_user could also be updated, so it uses account_emailaddress.id instead of having duplicate data. Could you please let us know if there are other occurrences of email in the schema, and if we should replicate our manual changes in some other tables for our user ? Thank you! Loïc ** Affects: mailman Importance: Undecided Status: New -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1952755 Title: Permissions checks should be case-insensitive against login email To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1952755/+subscriptions

2 2

[Bug 1951769] [NEW] NotAMemberError Exception in user options page
by Mark Sapiro 30 Nov '21

30 Nov '21

Public bug reported: If a user logs in to the options page and unsubscribes or is unsubscribed and then submits the options form again, perhaps by going back to the page in the browser, The CSRF check raises NotAMemberError and the user gets a We hit a bug page. This is related to https://bugs.launchpad.net/mailman/+bug/1523273 but occurs for a different reason. ** Affects: mailman Importance: Low Status: In Progress -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1951769 Title: NotAMemberError Exception in user options page To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1951769/+subscriptions

3 7

[Bug 1952384] [NEW] A CSRF vulnerability could allow a list moderator or list member to access the admin UI
by Mark Sapiro 30 Nov '21

30 Nov '21

*** This bug is a security vulnerability *** Private security bug reported: A list moderator or list member can potentially carry out a CSRF attach by getting a list admin to visit a crafted web page ** Affects: mailman Importance: Medium Assignee: Mark Sapiro (msapiro) Status: In Progress ** Patch added: "Patch to fix this issue." https://bugs.launchpad.net/bugs/1952384/+attachment/5543451/+files/patch.txt -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1952384 Title: A CSRF vulnerability could allow a list moderator or list member to access the admin UI To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1952384/+subscriptions

2 4

[Bug 1949403] [NEW] A vulnerability could allow a list moderator to discover the admin password.
by Mark Sapiro 12 Nov '21

12 Nov '21

*** This bug is a security vulnerability *** Private security bug reported: The CSRF token for the admindb page contains an encrypted version of the list admin password which could potentially be cracked by a moderator via an off-line brute force attack. ** Affects: mailman Importance: Undecided Assignee: Mark Sapiro (msapiro) Status: In Progress -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1949403 Title: A vulnerability could allow a list moderator to discover the admin password. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1949403/+subscriptions

2 5

[Bug 1950833] [NEW] TypeError in nandling moderator requests.
by Mark Sapiro 12 Nov '21

12 Nov '21

Public bug reported: The fix for https://bugs.launchpad.net/mailman/+bug/1949403 can cause this issue in the admindb interface if a list has no moderator password Traceback (most recent call last): File "/mailman/mailman-${domainslug}/scripts/driver", line 117, in run_main main() File "/mailman/mailman-${domainslug}/Mailman/Cgi/admindb.py", line 342, in main print doc.Format() File "/mailman/mailman-${domainslug}/Mailman/htmlformat.py", line 352, in Format output.append(Container.Format(self, indent)) File "/mailman/mailman-${domainslug}/Mailman/htmlformat.py", line 267, in Format output.append(HTMLFormatObject(item, indent)) File "/mailman/mailman-${domainslug}/Mailman/htmlformat.py", line 53, in HTMLFormatObject return item.Format(indent) File "/mailman/mailman-${domainslug}/Mailman/htmlformat.py", line 445, in Format % csrf_token(self.mlist, self.contexts, self.user) File "/mailman/mailman-${domainslug}/Mailman/CSRFcheck.py", line 53, in csrf_token mac = sha_new(secret + `issued`).hexdigest() TypeError: unsupported operand type(s) for +: 'NoneType' and 'str' ** Affects: mailman Importance: Critical Assignee: Mark Sapiro (msapiro) Status: In Progress -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1950833 Title: TypeError in nandling moderator requests. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1950833/+subscriptions

2 3

[Bug 1949401] [NEW] Potential XSS attack via the user options page.
by Mark Sapiro 12 Nov '21

12 Nov '21

*** This bug is a security vulnerability *** Private security bug reported: A crafted URL to the user options page can execute arbitrary javascript. ** Affects: mailman Importance: Medium Assignee: Mark Sapiro (msapiro) Status: In Progress -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1949401 Title: Potential XSS attack via the user options page. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1949401/+subscriptions

2 4

[Bug 1950526] [NEW] Error upgrading on Debian 9 from Installed: 1:2.1.23-1+deb9u6 to Candidate: 1:2.1.23-1+deb9u7
by g 10 Nov '21

10 Nov '21

Public bug reported: Debian 9 Upgrading mailman Installed: 1:2.1.23-1+deb9u6 Candidate: 1:2.1.23-1+deb9u7 apt update apt upgrade errors Fetched 6,748 kB in 0s (12.4 MB/s) Reading changelogs... Done Preconfiguring packages ... File "/var/lib/mailman/bin/list_lists", line 75 except getopt.error, msg: ^ SyntaxError: invalid syntax (Reading database ... 99804 files and directories currently installed.) Preparing to unpack .../00-mailman_1%3a2.1.23-1+deb9u7_amd64.deb ... File "/usr/bin/pyclean", line 63 except (IOError, OSError), e: ^ SyntaxError: invalid syntax dpkg: warning: subprocess old pre-removal script returned error exit status 1 dpkg: trying script from the new package instead ... File "/usr/bin/pyclean", line 63 except (IOError, OSError), e: ^ SyntaxError: invalid syntax dpkg: error processing archive /tmp/apt-dpkg-install-vEhtzR/00-mailman_1%3a2.1.23-1+deb9u7_amd64.deb (--unpack): subprocess new pre-removal script returned error exit status 1 File "/var/lib/mailman/bin/list_lists", line 75 except getopt.error, msg: ^ SyntaxError: invalid syntax File "/usr/lib/mailman/bin/update", line 107 print C_('Fixing language templates: %(listname)s') ^ SyntaxError: invalid syntax dpkg: error while cleaning up: subprocess installed post-installation script returned error exit status 1 Preparing to unpack .../01-python-pil_4.0.0-4+deb9u3_amd64.deb ... File "/usr/bin/pyclean", line 63 except (IOError, OSError), e: ^ SyntaxError: invalid syntax dpkg: warning: subprocess old pre-removal script returned error exit status 1 dpkg: trying script from the new package instead ... File "/usr/bin/pyclean", line 63 except (IOError, OSError), e: ^ SyntaxError: invalid syntax dpkg: error processing archive /tmp/apt-dpkg-install-vEhtzR/01-python-pil_4.0.0-4+deb9u3_amd64.deb (--unpack): subprocess new pre-removal script returned error exit status 1 Traceback (most recent call last): File "/usr/bin/pycompile", line 35, in <module> from debpython.version import SUPPORTED, debsorted, vrepr, \ File "/usr/share/python/debpython/version.py", line 24, in <module> from ConfigParser import SafeConfigParser ModuleNotFoundError: No module named 'ConfigParser' dpkg: error while cleaning up: subprocess installed post-installation script returned error exit status 1 Preparing to unpack .../02-python-imaging_4.0.0-4+deb9u3_all.deb ... File "/usr/bin/pyclean", line 63 except (IOError, OSError), e: ^ SyntaxError: invalid syntax dpkg: warning: subprocess old pre-removal script returned error exit status 1 dpkg: trying script from the new package instead ... File "/usr/bin/pyclean", line 63 except (IOError, OSError), e: ^ SyntaxError: invalid syntax dpkg: error processing archive /tmp/apt-dpkg-install-vEhtzR/02-python-imaging_4.0.0-4+deb9u3_all.deb (--unpack): subprocess new pre-removal script returned error exit status 1 Traceback (most recent call last): File "/usr/bin/pycompile", line 35, in <module> from debpython.version import SUPPORTED, debsorted, vrepr, \ File "/usr/share/python/debpython/version.py", line 24, in <module> from ConfigParser import SafeConfigParser ModuleNotFoundError: No module named 'ConfigParser' dpkg: error while cleaning up: subprocess installed post-installation script returned error exit status 1 Preparing to unpack .../03-python-lxml_3.7.1-1+deb9u4_amd64.deb ... File "/usr/bin/pyclean", line 63 except (IOError, OSError), e: ^ SyntaxError: invalid syntax dpkg: warning: subprocess old pre-removal script returned error exit status 1 dpkg: trying script from the new package instead ... File "/usr/bin/pyclean", line 63 except (IOError, OSError), e: ^ SyntaxError: invalid syntax dpkg: error processing archive /tmp/apt-dpkg-install-vEhtzR/03-python-lxml_3.7.1-1+deb9u4_amd64.deb (--unpack): subprocess new pre-removal script returned error exit status 1 Traceback (most recent call last): File "/usr/bin/pycompile", line 35, in <module> from debpython.version import SUPPORTED, debsorted, vrepr, \ File "/usr/share/python/debpython/version.py", line 24, in <module> from ConfigParser import SafeConfigParser ModuleNotFoundError: No module named 'ConfigParser' dpkg: error while cleaning up: subprocess installed post-installation script returned error exit status 1 Preparing to unpack .../04-python-xdg_0.25-4+deb9u1_all.deb ... File "/usr/bin/pyclean", line 63 except (IOError, OSError), e: ^ SyntaxError: invalid syntax dpkg: warning: subprocess old pre-removal script returned error exit status 1 dpkg: trying script from the new package instead ... File "/usr/bin/pyclean", line 63 except (IOError, OSError), e: ^ SyntaxError: invalid syntax dpkg: error processing archive /tmp/apt-dpkg-install-vEhtzR/04-python-xdg_0.25-4+deb9u1_all.deb (--unpack): subprocess new pre-removal script returned error exit status 1 Traceback (most recent call last): File "/usr/bin/pycompile", line 35, in <module> from debpython.version import SUPPORTED, debsorted, vrepr, \ File "/usr/share/python/debpython/version.py", line 24, in <module> from ConfigParser import SafeConfigParser ModuleNotFoundError: No module named 'ConfigParser' dpkg: error while cleaning up: subprocess installed post-installation script returned error exit status 1 Errors were encountered while processing: /tmp/apt-dpkg-install-vEhtzR/00-mailman_1%3a2.1.23-1+deb9u7_amd64.deb /tmp/apt-dpkg-install-vEhtzR/01-python-pil_4.0.0-4+deb9u3_amd64.deb /tmp/apt-dpkg-install-vEhtzR/02-python-imaging_4.0.0-4+deb9u3_all.deb /tmp/apt-dpkg-install-vEhtzR/03-python-lxml_3.7.1-1+deb9u4_amd64.deb /tmp/apt-dpkg-install-vEhtzR/04-python-xdg_0.25-4+deb9u1_all.deb E: Sub-process /usr/bin/dpkg returned an error code (1) Thanks ** Affects: mailman Importance: Undecided Status: New -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1950526 Title: Error upgrading on Debian 9 from Installed: 1:2.1.23-1+deb9u6 to Candidate: 1:2.1.23-1+deb9u7 To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1950526/+subscriptions

2 1

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

Mailman-coders November 2021