Discussion:
[Mailman-i18n] Security patch and Mailman 2.1.20 to be released on 31 March
Mark Sapiro
2015-03-27 21:42:44 UTC
Permalink
A security vulnerability in Mailman has been found and fixed. It has
been assigned CVE-2015-2775. The details of this vulnerability and fix
will be announced next Tuesday, 31 March 2015, at which time both a
patch for this specific vulnerability and Mailman 2.1.20 will be released.

In addition to this security fix, Mailman 2.1.20 includes a new feature
allowing a list owner to change a list member's address through the
admin Membership Management... Section, and a couple of minor bug fixes.

The new feature is a fix for <https://launchpad.net/bugs/266809>.

The bugs fixed are: <https://launchpad.net/bugs/1426825>,
<https://launchpad.net/bugs/1426829> and
<https://launchpad.net/bugs/1427389>.

The security vulnerability, the details of which are currently private,
is <https://launchpad.net/bugs/1437145>.

The security vulnerability only affects those installations which use
Exim, Postfix's postfix_to_mailman.py or similar programmatic (not
aliases) MTA delivery to Mailman, and have untrusted local users on the
Mailman server.
--
Mark Sapiro <***@msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
Stef
2015-03-30 17:11:26 UTC
Permalink
Post by Mark Sapiro
A security vulnerability in Mailman has been found and fixed. It has
been assigned CVE-2015-2775. The details of this vulnerability and fix
will be announced next Tuesday, 31 March 2015, at which time both a
patch for this specific vulnerability and Mailman 2.1.20 will be released.
Hi Mark,

On https://github.com/aviarypl/mailman-l10n-pl you can find Polish translation (UTF-8) updated for 2.1.20.

Related changes:
https://github.com/aviarypl/mailman-l10n-pl/commit/749589cf097bd16625a7b0b1c2b4b621f0d862f5
https://github.com/aviarypl/mailman-l10n-pl/commit/95845352495323dc70565f14edff6ae1527bc8be


HTH,
Stefan
Mark Sapiro
2015-03-30 20:07:46 UTC
Permalink
Post by Stef
On https://github.com/aviarypl/mailman-l10n-pl you can find Polish translation (UTF-8) updated for 2.1.20.
https://github.com/aviarypl/mailman-l10n-pl/commit/749589cf097bd16625a7b0b1c2b4b621f0d862f5
https://github.com/aviarypl/mailman-l10n-pl/commit/95845352495323dc70565f14edff6ae1527bc8be
Thank you. The updates will be in the release.
--
Mark Sapiro <***@msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
Danil Smirnov
2015-03-31 08:14:28 UTC
Permalink
Hi everybody!

I've just proposed merge with Russian translations updated for 2.1.20 on
Launchpad.

Danil
Post by Stef
Post by Stef
On https://github.com/aviarypl/mailman-l10n-pl you can find Polish
translation (UTF-8) updated for 2.1.20.
https://github.com/aviarypl/mailman-l10n-pl/commit/749589cf097bd16625a7b0b1c2b4b621f0d862f5
https://github.com/aviarypl/mailman-l10n-pl/commit/95845352495323dc70565f14edff6ae1527bc8be
Thank you. The updates will be in the release.
--
San Francisco Bay Area, California better use your sense - B. Dylan
_______________________________________________
Mailman-i18n mailing list
https://mail.python.org/mailman/options/mailman-i18n/danil%40smirnov.la
Mark Sapiro
2015-03-31 14:27:35 UTC
Permalink
Post by Mark Sapiro
A security vulnerability in Mailman has been found and fixed. It has
been assigned CVE-2015-2775. The details of this vulnerability and fix
will be announced next Tuesday, 31 March 2015, at which time both a
patch for this specific vulnerability and Mailman 2.1.20 will be released.
Here is more information. The report at
<https://launchpad.net/bugs/1437145> is now public.

Your installation is only vulnerable if both of the following are true.

1) Delivery of list mail to mailman from the MTA uses some kind of
programmatic method as opposed to fixed aliases. This includes Exim with
the recommended transport, Postfix with the postfix_to_mailman.py
transport and qmail with the qmail-to-mailman.py transport.

2) Untrusted users are able to create files on the Mailman server that
are accessible to Mailman. These can be in a user's home directory or
/tmp or anywhere that can be accessed via a path like
/path/to/mailman/lists/../../../../../../../../path/to/directory.

Installations most at risk likely include hosting services using cPanel
with untrusted users. Outside of those, the majority of sites are
probably not vulnerable.

This vulnerability is fixed by the patch in the attached file. This
patch will apply with at most a line number offset to the Utils.py
module in any Mailman 2.1.x version that doesn't already have it. If
your Mailman version is 2.1.11 or later, just apply the patch to
Mailman/Utils.py and restart Mailman. For versions older than 2.1.11,
the setting mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS referenced in the
patch doesn't exist, so you also need to add

ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]'

to Defaults.py or mm_cfg.py before restarting Mailman.
--
Mark Sapiro <***@msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
Loading...