From mark at msapiro.net Fri Sep 2 00:27:57 2016 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 02 Sep 2016 04:27:57 -0000 Subject: [Bug 1614841] Re: CSRF protection needs to be extended to the user options page References: <20160819061743.11518.53854.malonedeb@soybean.canonical.com> Message-ID: <20160902042758.12345.27137.malone@chaenomeles.canonical.com> A patch to fix this which is applicable to Mailman >= 2.1.15 and <= 2.1.22 is attached here. This fix has also been released as part of Mailman 2.1.23. ** Attachment added: "Patch for CVE-2016-6893" https://bugs.launchpad.net/mailman/+bug/1614841/+attachment/4732645/+files/patch_CVE-2016-6893 -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1614841 Title: CSRF protection needs to be extended to the user options page To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1614841/+subscriptions From mark at msapiro.net Fri Sep 2 00:34:24 2016 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 02 Sep 2016 04:34:24 -0000 Subject: [Bug 1614841] Re: CSRF protection needs to be extended to the user options page References: <20160819061743.11518.53854.malonedeb@soybean.canonical.com> Message-ID: <20160902043424.14682.9421.malone@wampee.canonical.com> The patch attached at https://bugs.launchpad.net/mailman/+bug/1614841/comments/4 may look garbled if opened in your browser, but the downloaded file should be OK. -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1614841 Title: CSRF protection needs to be extended to the user options page To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1614841/+subscriptions From mark at msapiro.net Fri Sep 2 14:49:22 2016 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 02 Sep 2016 18:49:22 -0000 Subject: [Bug 1619770] [NEW] cron/senddigests needs an exceptlist option Message-ID: <20160902184923.32623.80593.malonedeb@gac.canonical.com> Public bug reported: Sites sometimes want to send digests on a different schedule for one or a few lists. This is currently difficult as it requires running cron/senddigests with, e.g., '-l listname' or '-l list1 -l list2' for the one or two and separately with '-l listn' for all the others, and this needs to be updated as lists are added or removed. With a -e/--exceptlist option, only two crons are required, one with, e.g., '-l list1 -l list2' and one with '-e list1 -e list2' ** Affects: mailman Importance: Low Assignee: Mark Sapiro (msapiro) Status: Fix Committed -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1619770 Title: cron/senddigests needs an exceptlist option To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1619770/+subscriptions From 1619770 at bugs.launchpad.net Fri Sep 2 14:54:25 2016 From: 1619770 at bugs.launchpad.net (Launchpad Bug Tracker) Date: Fri, 02 Sep 2016 18:54:25 -0000 Subject: [Bug 1619770] Re: cron/senddigests needs an exceptlist option References: <20160902184923.32623.80593.malonedeb@gac.canonical.com> Message-ID: <20160902185430.25901.81994.launchpad@ackee.canonical.com> ** Branch linked: lp:mailman/2.1 -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1619770 Title: cron/senddigests needs an exceptlist option To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1619770/+subscriptions From mark at msapiro.net Fri Sep 2 14:54:31 2016 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 02 Sep 2016 18:54:31 -0000 Subject: [Bug 1619770] Re: cron/senddigests needs an exceptlist option References: <20160902184923.32623.80593.malonedeb@gac.canonical.com> Message-ID: <20160902185432.16047.48247.launchpad@soybean.canonical.com> ** Changed in: mailman Status: New => Fix Committed -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1619770 Title: cron/senddigests needs an exceptlist option To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1619770/+subscriptions From mark at msapiro.net Sun Sep 4 16:53:23 2016 From: mark at msapiro.net (Mark Sapiro) Date: Sun, 04 Sep 2016 20:53:23 -0000 Subject: [Bug 1620121] [NEW] The provided SYSV init script for mailman in missing LSB INIT INFO Message-ID: <20160904205323.12686.20783.malonedeb@chaenomeles.canonical.com> Public bug reported: This info is useful for systems (Debian/Ubuntu and maybe others) that use insserv or a similar process to determin boot sequence. ** Affects: mailman Importance: Low Assignee: Mark Sapiro (msapiro) Status: Fix Committed -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1620121 Title: The provided SYSV init script for mailman in missing LSB INIT INFO To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1620121/+subscriptions From 1620121 at bugs.launchpad.net Sun Sep 4 16:58:45 2016 From: 1620121 at bugs.launchpad.net (Launchpad Bug Tracker) Date: Sun, 04 Sep 2016 20:58:45 -0000 Subject: [Bug 1620121] Re: The provided SYSV init script for mailman in missing LSB INIT INFO References: <20160904205323.12686.20783.malonedeb@chaenomeles.canonical.com> Message-ID: <20160904205849.11368.33313.launchpad@ackee.canonical.com> ** Branch linked: lp:mailman/2.1 -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1620121 Title: The provided SYSV init script for mailman in missing LSB INIT INFO To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1620121/+subscriptions From mark at msapiro.net Sun Sep 4 16:58:54 2016 From: mark at msapiro.net (Mark Sapiro) Date: Sun, 04 Sep 2016 20:58:54 -0000 Subject: [Bug 1620121] Re: The provided SYSV init script for mailman in missing LSB INIT INFO References: <20160904205323.12686.20783.malonedeb@chaenomeles.canonical.com> Message-ID: <20160904205855.32680.1650.launchpad@gac.canonical.com> ** Changed in: mailman Status: New => Fix Committed -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1620121 Title: The provided SYSV init script for mailman in missing LSB INIT INFO To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1620121/+subscriptions From mark at msapiro.net Sun Sep 4 17:05:43 2016 From: mark at msapiro.net (Mark Sapiro) Date: Sun, 04 Sep 2016 21:05:43 -0000 Subject: [Bug 1620121] Re: The provided SYSV init script for mailman in missing LSB INIT INFO References: <20160904205323.12686.20783.malonedeb@chaenomeles.canonical.com> Message-ID: <20160904210543.306.61149.launchpad@gac.canonical.com> ** Description changed: This info is useful for systems (Debian/Ubuntu and maybe others) that - use insserv or a similar process to determin boot sequence. + use insserv or a similar process to determine boot sequence. -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1620121 Title: The provided SYSV init script for mailman in missing LSB INIT INFO To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1620121/+subscriptions From 1614841 at bugs.launchpad.net Mon Sep 5 03:10:23 2016 From: 1614841 at bugs.launchpad.net (Matthias Andree) Date: Mon, 05 Sep 2016 07:10:23 -0000 Subject: [Bug 1614841] Re: CSRF protection needs to be extended to the user options page References: <20160819061743.11518.53854.malonedeb@soybean.canonical.com> Message-ID: <20160905071023.14879.12153.malone@soybean.canonical.com> Re Comment #3 it appears this has triggered a new CVE-2016-7123 to be issued just based on this one line that Mark Sapiro wrote with no other confirmation than this launchpad bug #1614841, but I wonder if the latter CVE (CVE-2016-7123) is a duplicate of the old CVE-2011-0707, or a new separate issue. Haven't been able to find relevant information so far, and people are also wondering and reporting this elsewhere. Related: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212378 <- requesting FreeBSD to list CVE-2016-7123 as a new bug (note that FreeBSD already marked CVE-2016-6893 which covers a wider span of versions). ** Bug watch added: bugs.freebsd.org/bugzilla/ #212378 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212378 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-0707 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-7123 -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1614841 Title: CSRF protection needs to be extended to the user options page To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1614841/+subscriptions From 1614841 at bugs.launchpad.net Mon Sep 5 03:10:59 2016 From: 1614841 at bugs.launchpad.net (Matthias Andree) Date: Mon, 05 Sep 2016 07:10:59 -0000 Subject: [Bug 1614841] Re: CSRF protection needs to be extended to the user options page References: <20160819061743.11518.53854.malonedeb@soybean.canonical.com> Message-ID: <20160905071059.16242.13532.malone@soybean.canonical.com> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7123 -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1614841 Title: CSRF protection needs to be extended to the user options page To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1614841/+subscriptions From mark at msapiro.net Mon Sep 5 11:16:03 2016 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 05 Sep 2016 15:16:03 -0000 Subject: [Bug 1614841] Re: CSRF protection needs to be extended to the user options page References: <20160819061743.11518.53854.malonedeb@soybean.canonical.com> Message-ID: <20160905151603.16161.41746.malone@soybean.canonical.com> CVE-2011-0707 is not related to this CSRF issue. It references an XSS vulnerability that was fixed in Mailman 2.1.15 and so noted in the changelog of that release at https://launchpad.net/mailman/2.1/2.1.15 CVE-2016-7123 is a new CVE that apparently just acknowledging the CSRF vulnerability in the admin interface that exists in Mailman prior to 2.1.15. See https://bugs.launchpad.net/mailman/+bug/775294 -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1614841 Title: CSRF protection needs to be extended to the user options page To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1614841/+subscriptions From mark at msapiro.net Mon Sep 5 11:15:19 2016 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 05 Sep 2016 15:15:19 -0000 Subject: [Bug 775294] Re: Set lifetime for input forms References: <20110502024059.28344.3483.malonedeb@wampee.canonical.com> Message-ID: <20160905151519.4745.82823.malone@wampee.canonical.com> CVE-2016-7123 has recently been issued noting that a CSRF vulnerability exists in the admin interface in Mailman prior to 2.1.15. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-7123 -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/775294 Title: Set lifetime for input forms To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/775294/+subscriptions From mark at msapiro.net Wed Sep 7 12:39:52 2016 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 07 Sep 2016 16:39:52 -0000 Subject: [Bug 1621172] [NEW] paths.py should add dist-packages Message-ID: <20160907163952.5098.99736.malonedeb@wampee.canonical.com> Public bug reported: Mailman's paths.py adds the path to the invoking Python's /usr/lib/pythonx.y/site-packages directory to sys.path in case it's missing due to Python being invoked with -S or some other reason. It should also add /usr/lib/pythonx.y/dist-packages. ** Affects: mailman Importance: Medium Assignee: Mark Sapiro (msapiro) Status: New -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1621172 Title: paths.py should add dist-packages To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1621172/+subscriptions From 1621172 at bugs.launchpad.net Wed Sep 7 20:01:08 2016 From: 1621172 at bugs.launchpad.net (Launchpad Bug Tracker) Date: Thu, 08 Sep 2016 00:01:08 -0000 Subject: [Bug 1621172] Re: paths.py should add dist-packages References: <20160907163952.5098.99736.malonedeb@wampee.canonical.com> Message-ID: <20160908000111.12187.65539.launchpad@ackee.canonical.com> ** Branch linked: lp:mailman/2.1 -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1621172 Title: paths.py should add dist-packages To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1621172/+subscriptions From mark at msapiro.net Wed Sep 7 20:01:20 2016 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 08 Sep 2016 00:01:20 -0000 Subject: [Bug 1621172] Re: paths.py should add dist-packages References: <20160907163952.5098.99736.malonedeb@wampee.canonical.com> Message-ID: <20160908000121.26678.27245.launchpad@gac.canonical.com> ** Changed in: mailman Status: New => Fix Committed -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1621172 Title: paths.py should add dist-packages To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1621172/+subscriptions From mark at msapiro.net Thu Sep 8 20:10:31 2016 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 09 Sep 2016 00:10:31 -0000 Subject: [Bug 1621172] Re: paths.py should add dist-packages (import error in Mailman CGIs) References: <20160907163952.5098.99736.malonedeb@wampee.canonical.com> Message-ID: <20160909001031.19143.20924.malone@gac.canonical.com> Additional info on the impact of this bug. Normally, the qrunner processes are not affected by this as the Python that runs mailmanctl is not invoked with a -S option. The compiled wrappers that invoke the Mailman CGIs and the mail queueing scripts do invoke Python with a -S option for additional security. This is also not normally a problem because the CGIs and mail queueing scripts don't import anything outside of Mailman and the Python standard library, however if there are site or list modifications to use, for example, a modified MemberAdaptor that wants to import something such as 'ldap' which is outside of Mailman and the standard library, the path to that module must be in sys.path. The fix committed here will help in those cases, but won't help if the required module is, for example, in /usr/local/lib/pythonx.y/*. ** Summary changed: - paths.py should add dist-packages + paths.py should add dist-packages (import error in Mailman CGIs) -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1621172 Title: paths.py should add dist-packages (import error in Mailman CGIs) To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1621172/+subscriptions From 265961 at bugs.launchpad.net Thu Sep 15 11:15:51 2016 From: 265961 at bugs.launchpad.net (Foss-4) Date: Thu, 15 Sep 2016 15:15:51 -0000 Subject: [Bug 265961] Re: mailman breaks PGP/MIME messages References: <20080905192732.27052.70404.launchpad@forster.canonical.com> Message-ID: <20160915151551.1963.80924.malone@chaenomeles.canonical.com> Anybody in the mailman dev team? This bug has been obsolete for 13 years. Time to close it? -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/265961 Title: mailman breaks PGP/MIME messages To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/265961/+subscriptions From mark at msapiro.net Thu Sep 15 13:29:08 2016 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 15 Sep 2016 17:29:08 -0000 Subject: [Bug 265961] Re: mailman breaks PGP/MIME messages References: <20080905192732.27052.70404.launchpad@forster.canonical.com> Message-ID: <20160915172909.1703.17046.launchpad@wampee.canonical.com> ** Changed in: mailman Status: New => Invalid -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/265961 Title: mailman breaks PGP/MIME messages To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/265961/+subscriptions From 1625599 at bugs.launchpad.net Tue Sep 20 07:57:19 2016 From: 1625599 at bugs.launchpad.net (Vseerror) Date: Tue, 20 Sep 2016 11:57:19 -0000 Subject: [Bug 1625599] [NEW] sender filter should take precedence over spam filter Message-ID: <20160920115719.6371.35250.malonedeb@gac.canonical.com> Public bug reported: Moderated list In Privacy options...Sender Filters (privacy/sender) I put an email address X at Y.Z in "List of non-member addresses whose postings will be automatically discarded." to be rejected In Privacy options...Spam Filters (privacy/spam) I have filters to match on spamassassin and other fields - in some cases to hold messages for moderation. Messages from X at Y.Z that match a Spam Filter are not being rejected. I detail this in https://bugzilla.mozilla.org/show_bug.cgi?id=1297763 ** Affects: mailman Importance: Undecided Status: New -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1625599 Title: sender filter should take precedence over spam filter To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1625599/+subscriptions From mark at msapiro.net Tue Sep 20 12:44:52 2016 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 20 Sep 2016 16:44:52 -0000 Subject: [Bug 1625599] Re: sender filter should take precedence over spam filter References: <20160920115719.6371.35250.malonedeb@gac.canonical.com> Message-ID: <20160920164453.8802.99313.malone@chaenomeles.canonical.com> This is not a bug. It is a design decision. If you want to do membership tests (moderation and non-member tests) before header filter rules, you can configure that by putting the following in mm_cfg.py. GLOBAL_PIPELINE.remove('Moderate') GLOBAL_PIPELINE.insert(GLOBAL_PIPELINE.index('SpamDetect'), 'Moderate') You could also address this with a header_filter_rules rule of the form regexp: ^From:.*\WX at Y\.Z(\W|$) action: discard ahead of your other rules. ** Changed in: mailman Status: New => Invalid ** Changed in: mailman Assignee: (unassigned) => Mark Sapiro (msapiro) -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1625599 Title: sender filter should take precedence over spam filter To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1625599/+subscriptions From mark at msapiro.net Thu Sep 29 14:59:57 2016 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 29 Sep 2016 18:59:57 -0000 Subject: [Bug 1604544] Re: Letter links and footer links on admin Membership List rendered as Unicodes. References: <20160719192112.8736.9447.malonedeb@soybean.canonical.com> Message-ID: <20160929185958.18146.64824.launchpad@wampee.canonical.com> ** Summary changed: - Letter links on admin Membership List rendered as Unicodes. + Letter links and footer links on admin Membership List rendered as Unicodes. -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1604544 Title: Letter links and footer links on admin Membership List rendered as Unicodes. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1604544/+subscriptions From mark at msapiro.net Thu Sep 29 15:07:19 2016 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 29 Sep 2016 19:07:19 -0000 Subject: [Bug 1604544] Re: Letter links and footer links on admin Membership List rendered as Unicodes. References: <20160719192112.8736.9447.malonedeb@soybean.canonical.com> Message-ID: <20160929190719.18181.68300.launchpad@wampee.canonical.com> ** Description changed: Following a search which returned more than admin_member_chunksize hits, - the letter links on the admin Membership List are Unicodes and renderd + the letter links on the admin Membership List are Unicodes and rendered as u'http... which doesn't work. + + The same applies to the footer links at the bottom of the page. + + The letter links were fixed in 2.1.23. the footer links are fixed for + 2.1.24. ** Changed in: mailman Milestone: 2.1.23 => 2.1.24 ** Changed in: mailman Status: Fix Released => Fix Committed -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1604544 Title: Letter links and footer links on admin Membership List rendered as Unicodes. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1604544/+subscriptions