From 1501762 at bugs.launchpad.net Thu Oct 1 15:29:48 2015 From: 1501762 at bugs.launchpad.net (Steeve McCauley) Date: Thu, 01 Oct 2015 13:29:48 -0000 Subject: [Bug 1501762] [NEW] Security issues: passwords are stored in plaintext Message-ID: <20151001132948.30312.8650.malonedeb@chaenomeles.canonical.com> *** This bug is a security vulnerability *** Public security bug reported: Passwords for the mailing list users are stored in plaintext, and mailed to the users each month as "reminders" by default. Passwords should be hashed securely using modern hashing methods and the password thrown away. Mailing passwords in plaintext is something that was acceptable in 1992, barely. Doing so in 2015 is insane. At the very least the default setting of mailing out users passwords in plaintext should be eliminated. Password recovery methods should be modernized. ** Affects: mailman Importance: Undecided Status: New ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1501762 Title: Security issues: passwords are stored in plaintext To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1501762/+subscriptions From mark at msapiro.net Thu Oct 1 17:40:48 2015 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 01 Oct 2015 15:40:48 -0000 Subject: [Bug 1501762] Re: Security issues: passwords are stored in plaintext References: <20151001132948.30312.8650.malonedeb@chaenomeles.canonical.com> Message-ID: <20151001154048.3554.43693.malone@soybean.canonical.com> *** This bug is a duplicate of bug 265179 *** https://bugs.launchpad.net/bugs/265179 This is a well known, long standing issue. See . It is fixed in Mailman 3. It won't be fixed in Mailman 2.1, but you can stop sending monthly reminders by removing the crontab entry that sends them. ** This bug has been marked a duplicate of bug 265179 Security hole: passwords mailed in clear -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1501762 Title: Security issues: passwords are stored in plaintext To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1501762/+subscriptions From mark at msapiro.net Tue Oct 6 22:25:15 2015 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 06 Oct 2015 20:25:15 -0000 Subject: [Bug 1503422] [NEW] Mailman's provided init.d script may not work with systemctl. Message-ID: <20151006202515.26614.28165.malonedeb@gac.canonical.com> Public bug reported: The provided misc/mailman.in script contains the line # pidfile: @prefix@/data/master-qrunner.pid While this is a comment, it may be used by chkconfig, etc. and it's wrong. It should be # pidfile: @VAR_PREFIX@/data/master-qrunner.pid ** Affects: mailman Importance: Low Assignee: Mark Sapiro (msapiro) Status: Fix Committed -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1503422 Title: Mailman's provided init.d script may not work with systemctl. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1503422/+subscriptions From 1503422 at bugs.launchpad.net Tue Oct 6 22:29:55 2015 From: 1503422 at bugs.launchpad.net (Launchpad Bug Tracker) Date: Tue, 06 Oct 2015 20:29:55 -0000 Subject: [Bug 1503422] Re: Mailman's provided init.d script may not work with systemctl. References: <20151006202515.26614.28165.malonedeb@gac.canonical.com> Message-ID: <20151006202957.13666.76371.launchpad@ackee.canonical.com> ** Branch linked: lp:mailman/2.1 -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1503422 Title: Mailman's provided init.d script may not work with systemctl. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1503422/+subscriptions From mark at msapiro.net Tue Oct 6 22:30:03 2015 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 06 Oct 2015 20:30:03 -0000 Subject: [Bug 1503422] Re: Mailman's provided init.d script may not work with systemctl. References: <20151006202515.26614.28165.malonedeb@gac.canonical.com> Message-ID: <20151006203004.26700.9677.launchpad@gac.canonical.com> ** Changed in: mailman Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1503422 Title: Mailman's provided init.d script may not work with systemctl. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1503422/+subscriptions From mark at msapiro.net Wed Oct 14 04:46:32 2015 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 14 Oct 2015 02:46:32 -0000 Subject: [Bug 1505878] [NEW] Mailman can cause extraneous tabs to be displayed in Subject: headers Message-ID: <20151014024632.20704.24186.malonedeb@gac.canonical.com> Public bug reported: The genesis of this problem is that the header folding and unfolding algorithms specified in RFC822 could introduce extraneous white space in headers which have been folded and unfolded. RFC822 says when folding, "a CRLF immediately followed by AT LEAST one LWSP-char" may be inserted where linear-white-space is allowed, and unfolding "is accomplished by regarding CRLF immediately followed by a LWSP-char as equivalent to the LWSP-char." Thus, one can insert "AT LEAST one LWSP-char" when folding but not remove any when unfolding. The later RFCs 2822 and 5322 clarify the situation by specifying folding as inserting CRLF preceding existing white-space and unfolding as removing any CRLF which is immediately followed by white-space. Various MUAs and supporting libraries including the Python 2 email library used by Mailman still follow the RFC822 method of folding and can fold by inserting CRLF followed by TAB and the TAB then doesn't get removed in unfolding. There is actually control in the Python email library to use TAB or SPACE, and Mailman attempts to determine what character has been used and uses that, but in the case where a Subject: header is not folded but becomes long enough to be folded because of the insertion of a subject_prefix for example, Mailman defaults to a TAB which doesn't get removed in unfolding. The situation will never be perfect as long as there are MUAs that fold per RFC822 and MUAs that attempt to compensate by removing some white- space following CRLF, but it will be improved somewhat by defaulting to folding with SPACE rather than TAB. ** Affects: mailman Importance: Low Assignee: Mark Sapiro (msapiro) Status: In Progress -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1505878 Title: Mailman can cause extraneous tabs to be displayed in Subject: headers To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1505878/+subscriptions From 1505878 at bugs.launchpad.net Wed Oct 14 18:53:28 2015 From: 1505878 at bugs.launchpad.net (Launchpad Bug Tracker) Date: Wed, 14 Oct 2015 16:53:28 -0000 Subject: [Bug 1505878] Re: Mailman can cause extraneous tabs to be displayed in Subject: headers References: <20151014024632.20704.24186.malonedeb@gac.canonical.com> Message-ID: <20151014165330.2096.21167.launchpad@ackee.canonical.com> ** Branch linked: lp:mailman/2.1 -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1505878 Title: Mailman can cause extraneous tabs to be displayed in Subject: headers To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1505878/+subscriptions From mark at msapiro.net Wed Oct 14 19:06:41 2015 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 14 Oct 2015 17:06:41 -0000 Subject: [Bug 1505878] Re: Mailman can cause extraneous tabs to be displayed in Subject: headers References: <20151014024632.20704.24186.malonedeb@gac.canonical.com> Message-ID: <20151014170642.10648.17542.launchpad@wampee.canonical.com> ** Changed in: mailman Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1505878 Title: Mailman can cause extraneous tabs to be displayed in Subject: headers To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1505878/+subscriptions From 1507241 at bugs.launchpad.net Sun Oct 18 04:35:25 2015 From: 1507241 at bugs.launchpad.net (Launchpad Bug Tracker) Date: Sun, 18 Oct 2015 02:35:25 -0000 Subject: [Bug 1507241] Re: Bad regexps in *_these_nonmembers, subscribe_auto_approval and ban_list should be logged References: <20151018021144.21127.68846.malonedeb@gac.canonical.com> Message-ID: <20151018023527.16721.90304.launchpad@ackee.canonical.com> ** Branch linked: lp:mailman/2.1 -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1507241 Title: Bad regexps in *_these_nonmembers, subscribe_auto_approval and ban_list should be logged To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1507241/+subscriptions From mark at msapiro.net Sun Oct 18 04:36:04 2015 From: mark at msapiro.net (Mark Sapiro) Date: Sun, 18 Oct 2015 02:36:04 -0000 Subject: [Bug 1507241] Re: Bad regexps in *_these_nonmembers, subscribe_auto_approval and ban_list should be logged References: <20151018021144.21127.68846.malonedeb@gac.canonical.com> Message-ID: <20151018023605.17268.19759.launchpad@chaenomeles.canonical.com> ** Changed in: mailman Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1507241 Title: Bad regexps in *_these_nonmembers, subscribe_auto_approval and ban_list should be logged To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1507241/+subscriptions From mark at msapiro.net Sun Oct 18 04:11:44 2015 From: mark at msapiro.net (Mark Sapiro) Date: Sun, 18 Oct 2015 02:11:44 -0000 Subject: [Bug 1507241] [NEW] Bad regexps in *_these_nonmembers, subscribe_auto_approval and ban_list should be logged Message-ID: <20151018021144.21127.68846.malonedeb@gac.canonical.com> Public bug reported: The list attributes *_these_nonmembers, subscribe_auto_approval and ban_list accept lists of email addresses and regexps (beginning with '^') matching email addresses. Currently, if the regexp is invalid, it is silently ignored. The GUI does not accept invalid regexp entries, but there are other ways they could be introduced. An invalid regexp should at least be logged. ** Affects: mailman Importance: Low Assignee: Mark Sapiro (msapiro) Status: In Progress -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1507241 Title: Bad regexps in *_these_nonmembers, subscribe_auto_approval and ban_list should be logged To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1507241/+subscriptions