From mark at msapiro.net Sat Feb 3 18:34:27 2018 From: mark at msapiro.net (Mark Sapiro) Date: Sat, 03 Feb 2018 23:34:27 -0000 Subject: [Bug 1747209] [NEW] XSS vulnerability and information leak in user options CGI Message-ID: <151770086802.27319.17038460499753991543.malonedeb@soybean.canonical.com> *** This bug is a security vulnerability *** Private security bug reported: CVE-2018-5950 A crafted URL for a user options page can cause a browser to execute arbitrary script encoded in the URL. Also, in developing a fix for this issue it was discovered that a user options URL with a VARHELP query fragment would display the user options page without requiring login. No changes could be made and the settings revealed are not particularly sensitive, but this could be used to fish for membership on a list with a private roster. Thanks to Calum Hutton for the original report. ** Affects: mailman Importance: High Assignee: Mark Sapiro (msapiro) Status: In Progress ** Patch added: "Patch to fix this issue" https://bugs.launchpad.net/bugs/1747209/+attachment/5048344/+files/options.patch ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-5950 ** Description changed: CVE-2018-5950 A crafted URL for a user options page can cause a browser to execute arbitrary script encoded in the URL. Also, in developing a fix for this issue it was discovered that a user options URL with a VARHELP query fragment would display the user options page without requiring login. No changes could be made and the settings revealed are not particularly sensitive, but this could be used to fish for membership on a list with a private roster. + + Thanks to Calum Hutton for the original report. -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1747209 Title: XSS vulnerability and information leak in user options CGI To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1747209/+subscriptions From 1747209 at bugs.launchpad.net Sun Feb 4 12:21:35 2018 From: 1747209 at bugs.launchpad.net (Launchpad Bug Tracker) Date: Sun, 04 Feb 2018 17:21:35 -0000 Subject: [Bug 1747209] Re: XSS vulnerability and information leak in user options CGI References: <151770086802.27319.17038460499753991543.malonedeb@soybean.canonical.com> Message-ID: <151776489661.13074.4811665849947921451.launchpad@ackee.canonical.com> ** Branch linked: lp:mailman/2.1 -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1747209 Title: XSS vulnerability and information leak in user options CGI To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1747209/+subscriptions From mark at msapiro.net Sun Feb 4 12:25:18 2018 From: mark at msapiro.net (Mark Sapiro) Date: Sun, 04 Feb 2018 17:25:18 -0000 Subject: [Bug 1747209] Re: XSS vulnerability and information leak in user options CGI References: <151770086802.27319.17038460499753991543.malonedeb@soybean.canonical.com> Message-ID: <151776511940.27805.970112058480051691.launchpad@soybean.canonical.com> ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1747209 Title: XSS vulnerability and information leak in user options CGI To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1747209/+subscriptions From mark at msapiro.net Sun Feb 4 13:01:01 2018 From: mark at msapiro.net (Mark Sapiro) Date: Sun, 04 Feb 2018 18:01:01 -0000 Subject: [Bug 1744739] Re: 2.1.25 login based pages not working with uwsgi References: <151663514548.4431.13685248957496009295.malonedeb@wampee.canonical.com> Message-ID: <151776726286.27766.3920906619570153693.launchpad@soybean.canonical.com> ** Changed in: mailman Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1744739 Title: 2.1.25 login based pages not working with uwsgi To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1744739/+subscriptions From mark at msapiro.net Sun Feb 4 13:01:16 2018 From: mark at msapiro.net (Mark Sapiro) Date: Sun, 04 Feb 2018 18:01:16 -0000 Subject: [Bug 1740543] Re: Mailman 2.1.22+ requires Python 2.7 References: <151458045262.32616.5798589614115454314.malonedeb@wampee.canonical.com> Message-ID: <151776727766.27734.5929330719918991184.launchpad@soybean.canonical.com> ** Changed in: mailman Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1740543 Title: Mailman 2.1.22+ requires Python 2.7 To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1740543/+subscriptions From mark at msapiro.net Sun Feb 4 13:01:44 2018 From: mark at msapiro.net (Mark Sapiro) Date: Sun, 04 Feb 2018 18:01:44 -0000 Subject: [Bug 1734162] Re: OSError in Mailman/MTA/Postfix.py when updating maps. References: <151145782114.7560.14612148944401178995.malonedeb@chaenomeles.canonical.com> Message-ID: <151776730572.28127.5413974113748153128.launchpad@soybean.canonical.com> ** Changed in: mailman Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1734162 Title: OSError in Mailman/MTA/Postfix.py when updating maps. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1734162/+subscriptions From mark at msapiro.net Sun Feb 4 13:11:53 2018 From: mark at msapiro.net (Mark Sapiro) Date: Sun, 04 Feb 2018 18:11:53 -0000 Subject: [Bug 1747209] Re: XSS vulnerability and information leak in user options CGI References: <151770086802.27319.17038460499753991543.malonedeb@soybean.canonical.com> Message-ID: <151776791463.29236.174353885413037939.launchpad@chaenomeles.canonical.com> ** Changed in: mailman Status: In Progress => Fix Released -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1747209 Title: XSS vulnerability and information leak in user options CGI To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1747209/+subscriptions From mark at msapiro.net Sun Feb 4 13:12:22 2018 From: mark at msapiro.net (Mark Sapiro) Date: Sun, 04 Feb 2018 18:12:22 -0000 Subject: [Bug 1746189] Re: wrong usage of _() in Mailman/Cgi/subscribe.py References: <151730009476.15391.1007149142606868031.malonedeb@gac.canonical.com> Message-ID: <151776794302.10268.10557064401935512460.launchpad@wampee.canonical.com> ** Changed in: mailman Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1746189 Title: wrong usage of _() in Mailman/Cgi/subscribe.py To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1746189/+subscriptions From mark at msapiro.net Sun Feb 4 13:12:04 2018 From: mark at msapiro.net (Mark Sapiro) Date: Sun, 04 Feb 2018 18:12:04 -0000 Subject: [Bug 1737371] Re: Show which header_filter_rules regexp matched in the hold reason. References: <151286489614.3023.9518352691325453733.malonedeb@gac.canonical.com> Message-ID: <151776792598.10002.4993641191387893079.launchpad@wampee.canonical.com> ** Changed in: mailman Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1737371 Title: Show which header_filter_rules regexp matched in the hold reason. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1737371/+subscriptions From mark at msapiro.net Sun Feb 4 13:11:17 2018 From: mark at msapiro.net (Mark Sapiro) Date: Sun, 04 Feb 2018 18:11:17 -0000 Subject: [Bug 1731604] Re: VERP fails if the recipient address local part is quoted. References: <151038163229.934.12641910175503585284.malonedeb@chaenomeles.canonical.com> Message-ID: <151776787836.27968.10740993939544612561.launchpad@soybean.canonical.com> ** Changed in: mailman Status: In Progress => Triaged ** Changed in: mailman Milestone: 2.1.26 => None -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1731604 Title: VERP fails if the recipient address local part is quoted. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1731604/+subscriptions From mark at msapiro.net Sun Feb 4 13:12:36 2018 From: mark at msapiro.net (Mark Sapiro) Date: Sun, 04 Feb 2018 18:12:36 -0000 Subject: [Bug 1729472] Re: The DELIVERY_RETRY_WAIT setting is ignored References: <150958133023.4803.5355005426737371068.malonedeb@chaenomeles.canonical.com> Message-ID: <151776795778.28093.3966379757811102584.launchpad@soybean.canonical.com> ** Changed in: mailman Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1729472 Title: The DELIVERY_RETRY_WAIT setting is ignored To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1729472/+subscriptions From mark at msapiro.net Sun Feb 4 13:17:42 2018 From: mark at msapiro.net (Mark Sapiro) Date: Sun, 04 Feb 2018 18:17:42 -0000 Subject: [Bug 1731604] Re: VERP fails if the recipient address local part is quoted. References: <151038163229.934.12641910175503585284.malonedeb@chaenomeles.canonical.com> Message-ID: <151776826276.29423.15177740329526326642.launchpad@chaenomeles.canonical.com> ** Changed in: mailman Milestone: None => 2.1.27 -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1731604 Title: VERP fails if the recipient address local part is quoted. To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1731604/+subscriptions From futatuki at poem.co.jp Thu Feb 8 07:36:24 2018 From: futatuki at poem.co.jp (Yasuhito FUTATSUKI at POEM) Date: Thu, 08 Feb 2018 12:36:24 -0000 Subject: [Merge] lp:~futatuki/mailman/2.1-add-smtp-timeout into lp:mailman/2.1 Message-ID: <151809338233.24421.9608168353414269226.launchpad@ackee.canonical.com> Yasuhito FUTATSUKI at POEM has proposed merging lp:~futatuki/mailman/2.1-add-smtp-timeout into lp:mailman/2.1. Requested reviews: Mailman Coders (mailman-coders) For more details, see: https://code.launchpad.net/~futatuki/mailman/2.1-add-smtp-timeout/+merge/337353 This add a feature to specify timeout for SMTP response to avoid waiting response forever, to SMTPDirect Handler. To specify timeout, set SMTP_TIMEOUT in mm_cfg.py. By default, this is disabled(waiting response until respond the MTA). To test this feature, set mm_cfg.SMTP_TIMEOUT to small value and setup MTA to wait responding (by using greet pause feature, etc) and run smtp test or post message to mailing list to deliver it. -- Your team Mailman Coders is requested to review the proposed merge of lp:~futatuki/mailman/2.1-add-smtp-timeout into lp:mailman/2.1. -------------- next part -------------- A non-text attachment was scrubbed... Name: review-diff.txt Type: text/x-diff Size: 1726 bytes Desc: not available URL: From mark at msapiro.net Thu Feb 8 19:45:21 2018 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 09 Feb 2018 00:45:21 -0000 Subject: [Merge] lp:~futatuki/mailman/2.1-add-smtp-timeout into lp:mailman/2.1 In-Reply-To: <151809338233.24421.9608168353414269226.launchpad@ackee.canonical.com> Message-ID: <151813711995.2993.6787834178043350444.codereview@gac.canonical.com> Thank you for this contribution. I'm still considering how to handle this. I'd like to make Python 2.7 or at least Python 2.6 a minimum requirement, but that's not really an issue as your code handles older versions. But there is an issue in how socket.timeout is handled in OutgoingRunner. Currently, OutgoingRunner treats all socket exceptions as a failure to connect. I think I'd want to catch socket.timeout in SMTPDirect, log the fact and then raise SomeRecipientsFailed instead. Also I think it would be appropriate to set the default other than None. Maybe something like one minute or five minutes, but I'm not sure what a good value would be. -- https://code.launchpad.net/~futatuki/mailman/2.1-add-smtp-timeout/+merge/337353 Your team Mailman Coders is requested to review the proposed merge of lp:~futatuki/mailman/2.1-add-smtp-timeout into lp:mailman/2.1. From futatuki at poem.co.jp Fri Feb 9 04:14:04 2018 From: futatuki at poem.co.jp (Yasuhito FUTATSUKI at POEM) Date: Fri, 09 Feb 2018 09:14:04 -0000 Subject: [Merge] lp:~futatuki/mailman/2.1-add-smtp-timeout into lp:mailman/2.1 In-Reply-To: <151813711995.2993.6787834178043350444.codereview@gac.canonical.com> Message-ID: <151816764396.9868.17322819032607827336.codereview@wampee.canonical.com> Thank you for your consideration for this issue. > But there is an issue in how socket.timeout is handled in OutgoingRunner. > Currently, OutgoingRunner treats all socket exceptions as a failure to > connect. I think I'd want to catch socket.timeout in SMTPDirect, log the fact > and then raise SomeRecipientsFailed instead. To accomplish it, there seems to be some different ways. (1) inspect SMTPDirect exception to find what causes it. (2) overriding methods of smtplib.SMTP catches socket.error (send() and getreply(), on current implementation of smtplib module (of CPython 2.x). socket.timeout can be caused in connect(), but it is not caught in connect()). (3) write our own implementation for SMTP, instead of smtplib (4) other... (1) and (2) depend on undocumented part of smtplib (of current implementation in CPython 2) as Python standard library, though. What kind of way to take do you think? (I'd like to help you for this issue if I can do something for it.) > Also I think it would be appropriate to set the default other than None. Maybe > something like one minute or five minutes, but I'm not sure what a good value > would be. I agree with None is not appropriate for default, but I also have no idea what is good. It is why I choose None for default value :-) I think one minute is short even if the MTA trust QutgoingRunner, if checking message body, etc, but of course, this is only my personal opinion. -- https://code.launchpad.net/~futatuki/mailman/2.1-add-smtp-timeout/+merge/337353 Your team Mailman Coders is requested to review the proposed merge of lp:~futatuki/mailman/2.1-add-smtp-timeout into lp:mailman/2.1.