Patch added in Mageia 4 and Cauldron SVN.  Freeze push requested.

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated mailman packages fix security vulnerability:

A path traversal vulnerability was discovered in Mailman. Installations using
a transport script (such as postfix-to-mailman.py) to interface with their
MTA instead of static aliases were vulnerable to a path traversal attack. To
successfully exploit this, an attacker needs write access on the local file
system (CVE-2015-2775).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2775
https://www.debian.org/security/2015/dsa-3214
========================

Updated packages in core/updates_testing:
========================
mailman-2.1.15-4.1.mga4

from mailman-2.1.15-4.1.mga4.src.rpm

Assignee: remco => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Some testing info here https://bugs.mageia.org/show_bug.cgi?id=8067#c24

Installing the mailman package give %post errors. 

3/3: mailman               ##########
Create a new, unpopulated mailing list.

Usage: /usr/sbin/newlist [options] [listname [listadmin-addr [admin-password]]]

Options:

    -l language
    --language=language
        Make the list's preferred language `language', which must be a two
        letter language code.

    -u urlhost
    --urlhost=urlhost
        Gives the list's web interface host name.

...etc

    --help
    -h
        Print this help message and exit.

The options -o and -i are mutually exclusive.


No such list "mailman"

warning: %post(mailman-2.1.15-4.mga4.x86_64) scriptlet failed, exit status 1
ERROR: 'script' failed for mailman-2.1.15-4.mga4.x86_64: 


Updating to the new one doesn't but installing the new one separately does. 

Browsing to http://hostname/mailman attempts to download a binary file rather than display it.

Starting mailman service fails, seems to be due to ..
mailmanctl[21044]: Site list is missing: mailman

The journal also shows..
crond[15095]: (CRON) bad username (/etc/cron.d/mailman)

Wow, this package is quite a mess.  We may have to push this as-is in Mageia 4, but if it's this broken and unmaintained it would stand to reason to drop it in Cauldron.  No reason to ship it in Mageia 5 if it's going to continue to be this broken with nobody interested in fixing it.

It seems to be failing creating the mailman list here..
281 	# initial list creation and configuration
282 	su %{uid} \
283 	-c "%{_sbindir}/newlist mailman root@$hostname $passwd" > /dev/null

The $hostname is causing it to fail as it just uses the computer name and not the fqdn. Seems to need something like root@$hostname.$domainname

Testing the newlist command manually and specifying the fqdn and an 8 letter password completes ok.

let me look at it. But not today.

Status: NEW => ASSIGNED
CC: (none) => thomas
Assignee: qa-bugs => thomas

Don't drop it yet. The install problems listed about don't show on the cauldron version or if upgraded to ver. 2.1.20. I want to do some further testing.

The security issue is fixed in Cauldron and you (Thomas) and Remmy said you'd look at it, so I removed it from the drop list.  We'll keep it for Mageia 5.

Created attachment 6455 [details]
Install messages

(In reply to claire robinson from comment #7)
> It seems to be failing creating the mailman list here..
> 281 	# initial list creation and configuration
> 282 	su %{uid} \
> 283 	-c "%{_sbindir}/newlist mailman root@$hostname $passwd" > /dev/null
> 
> The $hostname is causing it to fail as it just uses the computer name and
> not the fqdn. Seems to need something like root@$hostname.$domainname
> 
> Testing the newlist command manually and specifying the fqdn and an 8 letter
> password completes ok.

I just reverted to a mga4 on a vbox with fqdn and I didn't see what you saw.
See attachment 1 [details]

Note that there's now a build of mailman in Mageia 4 updates_testing that's newer than the version in Cauldron.  This needs to be pushed in Mageia 5 before anything can be done with it.

I have updated this package to version 2.1.20. I installed it after configuring the mailserver. It created an email telling it created the intial mailing list and the password and the browser link. (2.1.15 did not do this) Also, the cron job seems to run fine and no errors in the mailman logs.
The problem is still the integration with apache. All I get is that firefox wants to download the cgi scrit instead of running it. So please either help or be patient.

If it doesn't have any regressions, please at least push it to Cauldron.

Thank you Thomas :o)

I need some help to integrate it with apache.
Remco, would/could you please help.

Or if someone else has it working......

This is a pretty popular package used by a lot (of users) and we need to make this work.

This is a strange package.  As most webapp packages do, it creates an Alias matching the package name under / of the web server, but this one goes to a cgi directory rather than a traditional webapp.  I guess that's what you get for something written in C or not PHP.

Some thoughts I had comparing its config to the Apache configs...

Maybe the Alias for /%{name} should be a ScriptAlias?
Maybe the Options ExecCgi should be Options ExecCGI?
Maybe the <Directory block for the cgi-bin directory needs SetHandler cgi-script?

I don't know, but those are some possibilities to try.

Is having it try to download a binary file instead of rendering a page the only remaining issue?

(In reply to David Walser from comment #18)
> This is a strange package.  As most webapp packages do, it creates an Alias
> matching the package name under / of the web server, but this one goes to a
> cgi directory rather than a traditional webapp.  I guess that's what you get
> for something written in C or not PHP.
Most of it is in Python
> 
> Some thoughts I had comparing its config to the Apache configs...
> 
> Maybe the Alias for /%{name} should be a ScriptAlias?

This may be the issue. But since there is already a ScriptAlias in httpd.conf I get a complaint in systemctl -l status mailman. A apache guru may could help.

> Maybe the Options ExecCgi should be Options ExecCGI?
I tried this and also Options +ExecCGI

> Maybe the <Directory block for the cgi-bin directory needs SetHandler
> cgi-script?
> 
> I don't know, but those are some possibilities to try.
We also have the mailman cg-bin in /usr/lib64/mailman and they should probably be in /usr/lib/mailman as other people do. But I didn't want to make such a drastic change before mga6.
> 
> Is having it try to download a binary file instead of rendering a page the
> only remaining issue?
I think so, but this is needed to admin the mailman mailing list.(and for the users to sign up, etc.)
Probably 90+ % of the mailing lists hosts use this program. So we need to make it work.

Hardware: i586 => All

This bug has been fixed; the security issue CVE-2015-2775 and the the not working WEB interface.

The following packages are in updates_testing and a freeze push in cauldron has been asked for:

mailman-2.1.20-1.1.mga4.src.rpm
mailman-2.1.20-1.1.mga4.x86_64.rpm
mailman-debuginfo-2.1.20-1.1.mga4.x86_64.rpm

and the corresponding i586 packages.

Assigning it to qa

QA Contact: security => qa-bugs

Thanks Thomas!  Please don't forget to commit the fix for the web interface to Cauldron and ask for another freeze push.

mailman-2.1.20-2.mga5 uploaded for Cauldron.  Actually assigning this to QA now.

Assignee: thomas => qa-bugs
QA Contact: qa-bugs => security

Testing complete mga4 32 

Just ensuring it updates cleanly during mga5 final release cycle.

Whiteboard: (none) => mga4-32-ok

(In reply to claire robinson from comment #23)
> Testing complete mga4 32 
> 
> Just ensuring it updates cleanly during mga5 final release cycle.

Updates cleanly on MGA4 64.

CC: (none) => shlomif
Whiteboard: mga4-32-ok => mga4-32-ok mga4-64-ok

Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: mga4-32-ok mga4-64-ok => advisory mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0205.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED