Ubuntu
mailman package

mailman: Can not go to private archives

Bug #12999 reported by Debian Bug Importer
12
Affects Status Importance Assigned to Milestone
mailman (Debian)
Fix Released
Unknown
mailman (Ubuntu)
Fix Released
High
Tollef Fog Heen

Bug Description

Automatically imported from Debian bug report #294817 http://bugs.debian.org/294817

See original description

CVE References

Revision history for this message
In , Per Olofsson (pelle) wrote : severity of 294817 is important

# Automatically generated email from bts, devscripts version 2.8.10
severity 294817 important

Revision history for this message
In , Matthew Hawkins (matthew-intology) wrote : Re: Can not go to private archives

I just noticed this one myself. Seems that the fix for CAN-2005-0202
included in the debian package forgot to define the variable called
SLASH that is used in the rewritten true_path() function.

As a quick fix, edit /usr/lib/mailman/Mailman/Cgi/private.py and around
line 42, just before the definition of the true_path() function, add:

SLASH = '/'

(this was part of the original 'fix' suggested by Barry Warsaw)

Cheers,

--
Matt

Revision history for this message
In , Tollef Fog Heen (tfheen) wrote : merging 294817 294874, severity of 294817 is grave

# Automatically generated email from bts, devscripts version 2.8.6
merge 294817 294874
severity 294817 grave

Revision history for this message
In , Tollef Fog Heen (tfheen) wrote : severity of 295187 is grave, merging 295187 294817

# Automatically generated email from bts, devscripts version 2.8.6
severity 295187 grave
merge 295187 294817

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #294817 http://bugs.debian.org/294817

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (5.1 KiB)

Message-Id: <email address hidden>
Date: Fri, 11 Feb 2005 20:41:57 +0100
From: Thomas Nilsson <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: mailman: Can not go to private archives

Package: mailman
Version: 2.1.5-6
Severity: normal

After installing the latest security patch I can not visit the private
mail-archives. I get the following message:

------------------------------
Bug in Mailman version 2.1.5

We're sorry, we hit a bug!

Please inform the webmaster for this site of this problem. Printing of
traceback and other system information has been explicitly inhibited,
but the webmaster can find this information in the Mailman error logs.

-------------------------------

As I am the webmaster I can not do else that report it...

The following error dump is generated:
--------------------------------

Feb 11 20:25:29 2005 admin(25407): @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
admin(25407): [----- Mailman Version: 2.1.5 -----]
admin(25407): [----- Traceback ------]
admin(25407): Traceback (most recent call last):
admin(25407): File "/var/lib/mailman/scripts/driver", line 110, in run_main
admin(25407): main()
admin(25407): File "/usr/lib/mailman/Mailman/Cgi/private.py", line 68, in main
admin(25407): true_path(path))
admin(25407): File "/usr/lib/mailman/Mailman/Cgi/private.py", line 42, in true_path
admin(25407): parts = [x for x in path.split(SLASH) if x not in ('.', '..')]
admin(25407): NameError: global name 'SLASH' is not defined
admin(25407): [----- Python Information -----]
admin(25407): sys.version = 2.3.4 (#2, Jan 5 2005, 08:24:51)
[GCC 3.3.5 (Debian 1:3.3.5-5)]
admin(25407): sys.executable = /usr/bin/python
admin(25407): sys.prefix = /usr
admin(25407): sys.exec_prefix = /usr
admin(25407): sys.path = /usr
admin(25407): sys.platform = linux2
admin(25407): [----- Environment Variables -----]
admin(25407): HTTP_COOKIE: grimstadata+admin=28020000006923060d42732800000033613332393139386261353439643738623037653065373838623939393336333939613563346237; SQMSESSID=45d650c24a923598efcbd722a7ac1cc3
admin(25407): SERVER_SOFTWARE: Apache/2.0.52 (Debian GNU/Linux) mod_python/3.1.3 Python/2.3.4 PHP/4.3.10-2 mod_ssl/2.0.52 OpenSSL/0.9.7e mod_perl/1.999.20 Perl/v5.8.4
admin(25407): SCRIPT_NAME: /mailman/private
admin(25407): SERVER_SIGNATURE: <address>Apache/2.0.52 (Debian GNU/Linux) mod_python/3.1.3 Python/2.3.4 PHP/4.3.10-2 mod_ssl/2.0.52 OpenSSL/0.9.7e mod_perl/1.999.20 Perl/v5.8.4 Server at *** Port 80</address>
admin(25407):
admin(25407): REQUEST_METHOD: GET
admin(25407): HTTP_KEEP_ALIVE: 300
admin(25407): SERVER_PROTOCOL: HTTP/1.1
admin(25407): QUERY_STRING:
admin(25407): HTTP_ACCEPT_CHARSET: ISO-8859-15,utf-8;q=0.7,*;q=0.7
admin(25407): HTTP_USER_AGENT: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20050110 Firefox/1.0 (Debian package 1.0+dfsg.1-2)
admin(25407): HTTP_CONNECTION: keep-alive
admin(25407): SERVER_NAME: ***
admin(25407): REMOTE_ADDR: x.x.x.x
admin(25407): PATH_TRANSLATED: /var/www/grimsta/grimstadata/
admin(25407): SERVER_PORT: 80
admin(25407): SERVER_ADDR: 192.168.1.20 ...

Read more...

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Fri, 11 Feb 2005 22:02:01 +0100
From: Per Olofsson <email address hidden>
To: <email address hidden>
Subject: severity of 294817 is important

# Automatically generated email from bts, devscripts version 2.8.10
severity 294817 important

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Tue, 15 Feb 2005 11:23:20 +1100
From: Matthew Hawkins <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Re: Can not go to private archives

--5vNYLRcllDrimb99
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

I just noticed this one myself. Seems that the fix for CAN-2005-0202
included in the debian package forgot to define the variable called
SLASH that is used in the rewritten true_path() function.

As a quick fix, edit /usr/lib/mailman/Mailman/Cgi/private.py and around
line 42, just before the definition of the true_path() function, add:

SLASH =3D '/'

(this was part of the original 'fix' suggested by Barry Warsaw)

Cheers,

--=20
Matt

--5vNYLRcllDrimb99
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCEUD4Wzq7BJucGyIRAtgOAKCnkYbGtAs6cNdvFPbhBdNrR3Rz5gCfenID
Rc/5wuomY/RJE2/5h4ie+UI=
=cxv9
-----END PGP SIGNATURE-----

--5vNYLRcllDrimb99--

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Wed, 16 Feb 2005 21:17:04 +0100
From: Tollef Fog Heen <email address hidden>
To: <email address hidden>
Subject: merging 294817 294874, severity of 294817 is grave

# Automatically generated email from bts, devscripts version 2.8.6
merge 294817 294874
severity 294817 grave

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Wed, 16 Feb 2005 21:18:22 +0100
From: Tollef Fog Heen <email address hidden>
To: <email address hidden>
Subject: severity of 295187 is grave, merging 295187 294817

# Automatically generated email from bts, devscripts version 2.8.6
severity 295187 grave
merge 295187 294817

Revision history for this message
Debian Bug Importer (debzilla) wrote :

*** Bug 13000 has been marked as a duplicate of this bug. ***

Revision history for this message
In , Francesco Rabbi (sythos) wrote : mailman: Patch, problem solved (#295187 too)

Package: mailman
Version: 2.1.5-6
Followup-For: Bug #294817

patch:

--- private.py 8 Feb 2003 07:13:50 -0000 2.16.2.1
+++ private.py 10 Feb 2005 03:34:21 -0000
@@ -35,13 +35,17 @@
     _ = i18n._
 i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)

+SLASH = '/'
+

#end

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.29-C3EZRA
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages mailman depends on:
ii apache [httpd] 1.3.33-4 versatile, high-performance HTTP s
ii apache-ssl [httpd] 1.3.33-4 versatile, high-performance HTTP s
ii cron 3.0pl1-86 management of regular background p
ii debconf 1.4.45 Debian configuration management sy
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii logrotate 3.7-2 Log rotation utility
ii postfix [mail-transport-age 2.1.5-6 A high-performance mail transport
ii pwgen 2.03-1 Automatic Password generation
ii python 2.3.5-1 An interactive high-level object-o
ii ucf 1.14 Update Configuration File: preserv

-- debconf information:
* mailman/queue_files_present:
* mailman/default_server_language: it
* mailman/gate_news: false
* mailman/site_languages: it
* mailman/used_languages: it
* mailman/create_site_list:

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Wed, 16 Feb 2005 22:46:32 +0100
From: Sythos <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: mailman: Patch, problem solved (#295187 too)

Package: mailman
Version: 2.1.5-6
Followup-For: Bug #294817

patch:

--- private.py 8 Feb 2003 07:13:50 -0000 2.16.2.1
+++ private.py 10 Feb 2005 03:34:21 -0000
@@ -35,13 +35,17 @@
     _ = i18n._
 i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)

+SLASH = '/'
+

#end

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.29-C3EZRA
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages mailman depends on:
ii apache [httpd] 1.3.33-4 versatile, high-performance HTTP s
ii apache-ssl [httpd] 1.3.33-4 versatile, high-performance HTTP s
ii cron 3.0pl1-86 management of regular background p
ii debconf 1.4.45 Debian configuration management sy
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii logrotate 3.7-2 Log rotation utility
ii postfix [mail-transport-age 2.1.5-6 A high-performance mail transport
ii pwgen 2.03-1 Automatic Password generation
ii python 2.3.5-1 An interactive high-level object-o
ii ucf 1.14 Update Configuration File: preserv

-- debconf information:
* mailman/queue_files_present:
* mailman/default_server_language: it
* mailman/gate_news: false
* mailman/site_languages: it
* mailman/used_languages: it
* mailman/create_site_list:

Revision history for this message
In , Tollef Fog Heen (tfheen-vawad) wrote : Fixed in -7

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 16 Feb 2005 20:29:00 +0100
Source: mailman
Binary: mailman
Architecture: source i386
Version: 2.1.5-7
Distribution: unstable
Urgency: high
Maintainer: Tollef Fog Heen <email address hidden>
Changed-By: Tollef Fog Heen <email address hidden>
Description:
 mailman - Powerful, web-based mailing list manager
Closes: 284311 287636 293861 294874
Changes:
 mailman (2.1.5-7) unstable; urgency=high
 .
   * Brown bag release -- use '/' instead of the undefined SLASH in
     Cgi/private.py. (closes: #294874)
   * Handle the case of non-ascii chars in realname. (closes: #293861)
   * Fix up typo in cron script (closes: #284311)
   * Use head -n 1 instead of cat for getting the mailname out of
     /etc/mailname. (closes: #287636)
Files:
 468063270307cf797c9ae6ac0f129966 651 mail optional mailman_2.1.5-7.dsc
 8b0f00baf951c13f3a4e478215ee6782 114883 mail optional mailman_2.1.5-7.diff.gz
 d2b4d74ad498f4ea4cbb3b3eebf05832 6609134 mail optional mailman_2.1.5-7_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCE7hwQSseMYF6mWoRAmDTAJ9Me+GP1ft3i6GhwYNzikEvR/kT7wCfTBHy
VC10uGzqDmvghdrZSoQiM2g=
=PQgz
-----END PGP SIGNATURE-----

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Thu, 17 Feb 2005 09:10:16 +0100
From: Tollef Fog Heen <email address hidden>
To: <email address hidden>
Subject: Fixed in -7

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 16 Feb 2005 20:29:00 +0100
Source: mailman
Binary: mailman
Architecture: source i386
Version: 2.1.5-7
Distribution: unstable
Urgency: high
Maintainer: Tollef Fog Heen <email address hidden>
Changed-By: Tollef Fog Heen <email address hidden>
Description:
 mailman - Powerful, web-based mailing list manager
Closes: 284311 287636 293861 294874
Changes:
 mailman (2.1.5-7) unstable; urgency=high
 .
   * Brown bag release -- use '/' instead of the undefined SLASH in
     Cgi/private.py. (closes: #294874)
   * Handle the case of non-ascii chars in realname. (closes: #293861)
   * Fix up typo in cron script (closes: #284311)
   * Use head -n 1 instead of cat for getting the mailname out of
     /etc/mailname. (closes: #287636)
Files:
 468063270307cf797c9ae6ac0f129966 651 mail optional mailman_2.1.5-7.dsc
 8b0f00baf951c13f3a4e478215ee6782 114883 mail optional mailman_2.1.5-7.diff.gz
 d2b4d74ad498f4ea4cbb3b3eebf05832 6609134 mail optional mailman_2.1.5-7_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCE7hwQSseMYF6mWoRAmDTAJ9Me+GP1ft3i6GhwYNzikEvR/kT7wCfTBHy
VC10uGzqDmvghdrZSoQiM2g=
=PQgz
-----END PGP SIGNATURE-----

Revision history for this message
Matt Zimmerman (mdz) wrote :

Tollef, is this something which justifies a freeze exception? If not, please
downgrade it

Revision history for this message
Tollef Fog Heen (tfheen) wrote :

It is already merged, so resolving.

Bug Watch Updater (bug-watch-updater)
Changed in mailman:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.