Mailman-coders

mailman-coders@python.org

10 participants
4837 discussions

[Bug 1931029] [NEW] DMARC policy lookup violates RFC 7849.

by Mark Sapiro

Public bug reported: If DNS lookup of TXT records for a domain finds more than one v=DMARC1; record, it checks them all for policy = reject or quarantine. RFC 7849, Sec 6.6.3 item 5 says 5. If the remaining set contains multiple records or no records, policy discovery terminates and DMARC processing is not applied to this message. Thus, if we find multiple records we should assume no DMARC policy for this domain. ** Affects: mailman Importance: Low Status: Triaged -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1931029 Title: DMARC policy lookup violates RFC 7849. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1931029/+subscriptions

1 day, 2 hours

[Bug 1917968] [NEW] A text/plain message body is scrubbed with a .ksh extension

by Mark Sapiro

Public bug reported: If a simple text/plain message has a Content-Disposition: header and does not have a Content-Type: header with a charset parameter, the body will be scrubbed to a file with a .ksh extension. It is only text/plain attachments that should be scrubbed in this way and they should be given a .txt extension. ** Affects: mailman Importance: Low Assignee: Mark Sapiro (msapiro) Status: Fix Committed -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1917968 Title: A text/plain message body is scrubbed with a .ksh extension To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1917968/+subscriptions

1 day, 2 hours

[Bug 1922843] [NEW] bounce action notice message never use the translation for 'disabled'

by Yasuhito FUTATSUKI at POEM

Public bug reported: In Bouncer.Bouncer.__sendAdminBounceNotice(), default value of "did" argment is evaluated only once on method definition and not evaluated at runtime. This causes that the translation of 'disabled' is never used other than default one. A fix will be like a patch below (but not checked). --- a/Mailman/Bouncer.py +++ b/Mailman/Bouncer.py @@ -226,12 +226,14 @@ class Bouncer: if self.bounce_notify_owner_on_disable: self.__sendAdminBounceNotice(member, msg) - def __sendAdminBounceNotice(self, member, msg, did=_('disabled')): + def __sendAdminBounceNotice(self, member, msg, did=None): # BAW: This is a bit kludgey, but we're not providing as much # information in the new admin bounce notices as we used to (some of # it was of dubious value). However, we'll provide empty, strange, or # meaningless strings for the unused %()s fields so that the language # translators don't have to provide new templates. + if did = None: + did = _('disabled') siteowner = Utils.get_site_email(self.host_name) text = Utils.maketext( 'bounce.txt', ** Affects: mailman Importance: Undecided Status: New ** Branch linked: lp:mailman/2.1 -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1922843 Title: bounce action notice message never use the translation for 'disabled' To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1922843/+subscriptions

1 day, 2 hours

[Bug 1921682] [NEW] Japanese language prevents user from unsubscribing

by Tomas Korbar

Public bug reported: Hi, When mailing list is configured with: preferred_language = 'ja' available_languages = ['en', 'ja'] send_goodbye_msg = 0 And mailman receives confirmation email for unsubscription with multipart message encoded in different encoding than euc-jp, then mailmans command runner crashes with traceback: Feb 10 18:08:00 2021 (1270) Uncaught runner exception: 'euc_jp' codec can't decode bytes in position 280-281: illegal multibyte sequence Feb 10 18:08:00 2021 (1270) Traceback (most recent call last): File "/usr/lib/mailman/Mailman/Queue/Runner.py", line 119, in _oneloop self._onefile(msg, msgdata) File "/usr/lib/mailman/Mailman/Queue/Runner.py", line 190, in _onefile keepqueued = self._dispose(mlist, msg, msgdata) File "/usr/lib/mailman/Mailman/Queue/CommandRunner.py", line 291, in _dispose res.send_response() File "/usr/lib/mailman/Mailman/Queue/CommandRunner.py", line 208, in send_response results = MIMEText(NL.join(encoded_resp), _charset=charset) File "/usr/lib64/python2.7/email/mime/text.py", line 30, in __init__ self.set_payload(_text, _charset) File "/usr/lib64/python2.7/email/message.py", line 226, in set_payload self.set_charset(charset) File "/usr/lib64/python2.7/email/message.py", line 264, in set_charset self._payload = charset.body_encode(self._payload) File "/usr/lib64/python2.7/email/charset.py", line 390, in body_encode s = self.convert(s) File "/usr/lib64/python2.7/email/charset.py", line 273, in convert return unicode(s, self.input_codec).encode(self.output_codec) UnicodeDecodeError: 'euc_jp' codec can't decode bytes in position 280-281: illegal multibyte sequence Here is an example of a mail which triggers this: Date: Wed, 11 Nov 2020 14:13:16 +0900 Subject: Re: ###CONFIRM### From: <testuser2@###SERVER###> To: userlist-request(a)###SERVER###.com MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="000000000000663b1c05b3cdda78" --000000000000663b1c05b3cdda78 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: base64 44GT44KT44Gr44Gh44Gv5LiW55WM --000000000000663b1c05b3cdda78 Also its maybe worth pointing out that setting RESPONSE_INCLUDE_LEVEL to <=1 mitigates this. I've managed to fix this issue by decoding the message part with its original charset and then encoding it to preferred encoding of mailing list. I'm attaching my patch. Could you please consider merging it? Thanks for any help you can provide. ** Affects: mailman Importance: Undecided Status: New ** Attachment added: "mailman-cmd-replies.patch" https://bugs.launchpad.net/bugs/1921682/+attachment/5481811/+files/mailman-… -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1921682 Title: Japanese language prevents user from unsubscribing To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1921682/+subscriptions

1 day, 2 hours

[Bug 1895451] [NEW] Mailman 2.1 does not support dnspython >=2.0

by Mark Sapiro

Public bug reported: dnspython >=2.0 requires Python >=3.6 and won't work with Mailman 2.1. ./configure should check for dnspython <2.0 and mention this requirement of not found. ** Affects: mailman Importance: Medium Assignee: Mark Sapiro (msapiro) Status: New -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1895451 Title: Mailman 2.1 does not support dnspython >=2.0 To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1895451/+subscriptions

1 day, 2 hours

[Bug 1915655] [NEW] DMARC Wrap Message doesn't include Subject: in the wrapper.

by Mark Sapiro

Public bug reported: If the list has no subject_prefix, DMARC Wrap Message will not include the Subject: in the wrapped message. ** Affects: mailman Importance: High Assignee: Mark Sapiro (msapiro) Status: In Progress -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1915655 Title: DMARC Wrap Message doesn't include Subject: in the wrapper. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1915655/+subscriptions

1 day, 2 hours

[Bug 1947639] [NEW] Potential Privilege escalation via the user options page.

by Mark Sapiro

*** This bug is a security vulnerability *** Private security bug reported: The `csrf_token` generated for the `options` page is always an `admin` token rather than specific to the authenticated user for that session. This admin token contains information that is derived from the hashed list admin password, which could theoretically allow a brute-force attack to obtain the list admin password. Thanks to Andre Protas, Richard Cloke and Andy Nuttall of Apple for reporting these and helping with the development of a fix. ** Affects: mailman Importance: Medium Assignee: Mark Sapiro (msapiro) Status: In Progress ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-42096 ** Summary changed: - Potential Privilege escallation via the user options page. + Potential Privilege escalation via the user options page. -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1947639 Title: Potential Privilege escalation via the user options page. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1947639/+subscriptions

1 day, 2 hours

[Bug 1947640] [NEW] Potential CSRF attack via the user options page.

by Mark Sapiro

*** This bug is a security vulnerability *** Private security bug reported: A valid `csrf_token` generated for one user session can be considered valid for another user session. This allows an attacker to generate a token which they can engineer another user, with an active session, to send to the server to execute the commands specified by the attacker whilst authenticated as the victim. Theoretically this could allow account take over. Thanks to Andre Protas, Richard Cloke and Andy Nuttall of Apple for reporting these and helping with the development of a fix. ** Affects: mailman Importance: Medium Assignee: Mark Sapiro (msapiro) Status: In Progress ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-42097 -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1947640 Title: Potential CSRF attack via the user options page. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1947640/+subscriptions

1 day, 2 hours

[Merge] lp:~futatuki/mailman/2.1-ja-translation into lp:mailman/2.1

by mp+410251＠code.launchpad.net

The content of this message was lost. It was probably cross-posted to multiple lists and previously handled on another list.

6 days, 5 hours

[Bug 1946272] [NEW] make find_member support --moderators option (patch supplied)

by James Ralston

Public bug reported: We run many, many mailing lists via Mailman 2.1, because we are a Red Hat Enterprise Linux shop and Red Hat ships Mailman 2.1 for all current versions of RHEL. Whenever a user leaves our organization, we need the ability to identify all lists for which the user was a subscriber, owner, or moderator, and take appropriate action (e.g., remove the user as a subscriber, or transfer ownership of the list to another individual). The find_member program is helpful in searching lists, but as shipped it does not have the ability to search for target email addresses as list moderators. This is functionality we need, and we do not know any other way to obtain that information. So, we added a --moderators option to find_members. We've been using this patch locally literally for years. We would like Red Hat to accept this patch in their Mailman 2.1 packages for RHEL8, but Red Hat has a fairly strict policy of not patching software they package for RHEL unless upstream has accepted the patch. We don't care if this patch ever makes it into a Mailman 2.1.XX release, but would you please accept the patch, so that we can then ask Red Hat to include it in their Mailman 2.1 packages that they ship for RHEL8? Thank you for your consideration. ** Affects: mailman Importance: Undecided Status: New ** Patch added: "patch for find_member to take --moderators option" https://bugs.launchpad.net/bugs/1946272/+attachment/5531145/+files/mailman-… -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1946272 Title: make find_member support --moderators option (patch supplied) To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1946272/+subscriptions

1 week

Jump to page:

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

Mailman-coders