Mailman Upgrade to 2.1.29 - Ubuntu 16.04

Bug #1803838 reported by Fernando
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mailman (Ubuntu)
Undecided
Unassigned

Bug Description

In Ubuntu 16.04 LTS the version of Mailman currently available in the package manager is 2.1.20 while the latest one is 2.1.29 and which is also the latest available on Mailman website.

There has been several bug and security fixes since 2.1.20 to 2.1.29 which look interesting to get the package managed upgraded.

What it takes to get the package bumped to 2.1.29 in Ubuntu 16.04 ?

CVE References

Revision history for this message
Mark Sapiro (msapiro) wrote :

If you want to upgrade the Ubuntu 16.04 package from source, see https://wiki.list.org/x/17891606.

no longer affects: mailman
Revision history for this message
Jim Popovitch (jimpop) wrote :
affects: ubuntu → mailman (Ubuntu)
tags: added: xenial
Revision history for this message
Hans Joachim Desserud (hjd) wrote :

Thanks for reporting.

Ubuntu is not a rolling release, so package versions are usually not updated from the one initially provided in a certain Ubuntu release. Newer versions of packages are added to newer Ubuntu releases.

There are a couple of exceptions. The first one is major bugs or security issues where the issue is fixed by applying a patch for that specific issue in the form of a Stable Release Upgrade ( https://wiki.ubuntu.com/StableReleaseUpdates#Procedure). As you can see from https://launchpad.net/ubuntu/+source/mailman, for 16.04 a couple of security issues seems to have been fixed in 1:2.1.20-1ubuntu0.3.

The second case is offering a newer version of the package in the backports pocket, which makes a newer version of a package optionally available and installable on an older Ubuntu release. See https://wiki.ubuntu.com/UbuntuBackports#Requesting_a_Backport for details on how to request a backport.

When reporting bugs in the future please use apport by using 'ubuntu-bug' and the name of the package affected. This will mark the correct package as affected and automatically add other relevant information such as version numbers.

Revision history for this message
Fernando (ffredy) wrote :

Hello Hans.
Thanks for the update.

I guess that would be the case maybe for Mailman 3.0 for example but in the case we are talking about there are several security fixes that are related on the changelog from version 2.1.20 to 2.1.29.
I believe the security issues that have been fixed on 2.1.20-1ubuntu0.3 are fixes that were made available until that version on the source code, so to the current latest version there are new pending bug and security fixes to be applied to the package available in the package manager.

I don't think pushing a release upgrade is the best approach for a case like this as it doesn't take any backports as necessary or anything that is rather complex like a kernel dependency to be done or that involves other details.
There are plenty of reasons to keep running a LTS version with the latest bug and security fixes applied to certain packages until is possible to do a release upgrade.

It seems the backport would not be the case for this one as well.

Thanks for the tips about bug reporting. I tried to mark the proper package affected but it seems it didn't work.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Current state of mailman in the Security Team's CVE tracker:

http://people.canonical.com/~ubuntu-security/cve/pkg/mailman.html

At the moment, these are in a needs-triage state: CVE-2018-0618 and CVE-2018-13796

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

A "blanket" bug like this, requesting a big upgrade, is unlikely to be resolved. I think it's best to highlight a specific issue in a specific bug report, even if you end up with multiple reports. Then someone working on it can decide whether it's best to backport a fix, or upgrade the version. Usually the former is better, specially considering xenial is an LTS release.

Revision history for this message
Fernando (ffredy) wrote :

Yeah, given that the most appropriate is a version upgrade, but I find a bit strange have to report a individual issue in order for that to happen as there are known pending security fixes. Perhaps it just speeds up things if I understand correctly.

Revision history for this message
Robie Basak (racb) wrote :

> given that the most appropriate is a version upgrade

Not necessarily. The most appropriate approach to take will be decided between Ubuntu developers, the security team, the stable release updates team and anyone else actually doing the work.

> as there are known pending security fixes

Security fixes are usually cherry-picked. Note that the two outstanding CVEs have been determined to be of low severity by the security team.

> Perhaps it just speeds up things if I understand correctly.

Not really, but what we do, how we approach it and how we prioritise it differ depending on the actual issues that need to be addressed, so we need to be told what the actual problems are that are being reported.

Changed in mailman (Ubuntu):
assignee: nobody → Siridech Kingsuwan (deinfinity)
status: New → Incomplete
assignee: Siridech Kingsuwan (deinfinity) → nobody
Revision history for this message
Fernando (ffredy) wrote :

May I know why this was moved to Status incomplete e assigned to nobody ?

The issue reported continues, so the bug fixes between 2.1.20 and 2.1.29 still exists and the rationale is to keep them there until someone can report that have been victim of an exploit ?

What is the sense of doing that knowing there are fixes publicized and available ?

The argument the newer software versions are applied to newer releases doesn't make sense. We are talking about a LTS version.

And we are even not talking about a major software version upgrade.

Paride Legovini (paride)
Changed in mailman (Ubuntu):
status: Incomplete → New
Revision history for this message
Paride Legovini (paride) wrote :

I reverted the bug status to what is was until 2019-05-17, I think the changes were not wanted. Please note that the bug was not assigned to anybody even before. The latest valid update to this bug is message #8 from Robie Basak.

Revision history for this message
Fernando (ffredy) wrote :

Great Paride, thanks. Let's see how it evolves and hopefully it gets an upgrade knowing the existing security issues to be applied and taking in consideration the LTS status of 16.04

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello, we're currently tracking two CVEs in mailman:

https://people.canonical.com/~ubuntu-security/cve/pkg/mailman.html
https://people.canonical.com/~ubuntu-security/cve/CVE-2018-0618
https://people.canonical.com/~ubuntu-security/cve/CVE-2018-13796

We've prioritized both these issues as 'low', which means we won't be releasing fixes for these issues alone, but will bundle fixes for these issues with the next issue we prioritize as 'medium' or higher.

Thanks

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers