Your message dated Fri, 14 Jan 2005 04:47:08 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#285839: fixed in mailman 2.1.5-5
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 15 Dec 2004 21:37:49 +0000
>From [EMAIL PROTECTED] Wed Dec 15 13:37:49 2004
Return-path: <[EMAIL PROTECTED]>
Received: from refraktori.verkkotelakka.net [212.16.98.234] (Debian-exim)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CegqD-0006dJ-00; Wed, 15 Dec 2004 13:37:49 -0800
Received: from jmtapio sender auth=jmtapio
by refraktori.verkkotelakka.net with local (Exim 4.34) id
1Cegq7-0001Hz-Gs; Wed, 15 Dec 2004 23:37:46 +0200
MIME-Version: 1.0
From: Juha-Matti Tapio <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
X-Mailer: reportbug 2.63
Date: Wed, 15 Dec 2004 23:37:43 +0200
Message-Id: <[EMAIL PROTECTED]>
Sender: Juha-Matti Tapio <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
Content-Type: multipart/mixed; boundary="===============0950576149=="
Subject: mailman: Membership leakage with private roster due to
55_options_traceback.dpatch
X-SA-Exim-Version: 4.1 (built Tue, 17 Aug 2004 11:06:07 +0200)
X-SA-Exim-Scanned: Yes (on refraktori.verkkotelakka.net)
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
This is a multi-part MIME message sent by reportbug.
--===============0950576149==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Package: mailman
Version: 2.1.5-4
Severity: important
Tags: security patch
Patch 55_options_traceback.dpatch changes the authentication of a
private roster user so that different response is given depending on if
the user is a member of the specified list. Therefore it is possible to
check if a specific email address is on a private list or not.
The patch also seems a bit odd regarding the problem that it claims to
fix. The patch should be either removed totally or rewritten to fix the
original bug if it still exists in the upstream.
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.6
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED]
Versions of packages mailman depends on:
ii apache2-mpm-perchild [httpd 2.0.50-11 Experimental High speed perchild t
ii cron 3.0pl1-86 management of regular background p
ii debconf 1.4.30.10 Debian configuration management sy
ii exim4 4.34-3 An MTA (Mail Transport Agent)
ii exim4-daemon-heavy [mail-tr 4.34-3 Exim (v4) with extended features,
ii libc6 2.3.2.ds1-16 GNU C Library: Shared libraries an
ii logrotate 3.6.5-2 Log rotation utility
ii pwgen 2.03-1 Automatic Password generation
ii python 2.3.4-1 An interactive high-level object-o
ii ucf 1.08 Update Configuration File: preserv
-- debconf information excluded
--===============0950576149==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="mailman-fix.diff"
diff -urN mailman-2.1.5/debian/patches/00list
mailman-2.1.5.new/debian/patches/00list
--- mailman-2.1.5/debian/patches/00list 2004-11-17 21:20:20.000000000 +0200
+++ mailman-2.1.5.new/debian/patches/00list 2004-12-15 23:12:44.000000000
+0200
@@ -17,7 +17,6 @@
51_nocompile.pyc
52_check_perms_lstat
53_disable_addons
-55_options_traceback
56_fix_de_broken_links
57_fix_missing_da_template
58_fix_translations
diff -urN mailman-2.1.5/debian/patches/55_options_traceback.dpatch
mailman-2.1.5.new/debian/patches/55_options_traceback.dpatch
--- mailman-2.1.5/debian/patches/55_options_traceback.dpatch 2004-11-17
21:20:20.000000000 +0200
+++ mailman-2.1.5.new/debian/patches/55_options_traceback.dpatch
1970-01-01 02:00:00.000000000 +0200
@@ -1,42 +0,0 @@
-#! /bin/sh -e
-## 55_options_traceback.dpatch by Tollef Fog Heen <[EMAIL PROTECTED]>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: Don't spit out a traceback if you are giving a admin password
-## DP: Closes #233161
-
-[ -f debian/patches/00patch-opts ] && . debian/patches/00patch-opts
-patch_opts="${patch_opts:--f --no-backup-if-mismatch ${2:+-d $2}}"
-
-if [ $# -lt 1 ]; then
- echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
- exit 1
-fi
-case "$1" in
- -patch) patch $patch_opts -p1 < $0;;
- -unpatch) patch $patch_opts -p1 -R < $0;;
- *)
- echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
- exit 1;;
-esac
-
-exit 0
[EMAIL PROTECTED]@
-
---- mailman-2.1.4/Mailman/Cgi/options.py 2004-02-17 10:56:16.000000000 +0800
-+++ mailman-2.1.4/Mailman/Cgi/options.py 2004-02-17 10:59:04.000000000 +0800
-@@ -119,8 +119,12 @@
- return
- # Sanity check the user, but only give the "no such member" error when
- # using public rosters, otherwise, we'll leak membership information.
-- if not mlist.isMember(user) and mlist.private_roster == 0:
-- doc.addError(_('No such member: %(safeuser)s.'))
-+ if not mlist.isMember(user):
-+ if mlist.private_roster == 0:
-+ doc.addError(_('No such member: %(safeuser)s.'))
-+ else:
-+ # Prevent an exception when the site/list admin password is used
-+ doc.addError(_('Authentication failed.'))
- loginpage(mlist, doc, None, language)
- print doc.Format()
- return
--===============0950576149==--
---------------------------------------
Received: (at 285839-close) by bugs.debian.org; 14 Jan 2005 09:53:31 +0000
>From [EMAIL PROTECTED] Fri Jan 14 01:53:30 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CpO94-0004Ud-00; Fri, 14 Jan 2005 01:53:30 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1CpO2u-0003Oz-00; Fri, 14 Jan 2005 04:47:08 -0500
From: Tollef Fog Heen <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.54 $
Subject: Bug#285839: fixed in mailman 2.1.5-5
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Fri, 14 Jan 2005 04:47:08 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_00,DATING,
HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 3
Source: mailman
Source-Version: 2.1.5-5
We believe that the bug you reported is fixed in the latest version of
mailman, which is due to be installed in the Debian FTP archive:
mailman_2.1.5-5.diff.gz
to pool/main/m/mailman/mailman_2.1.5-5.diff.gz
mailman_2.1.5-5.dsc
to pool/main/m/mailman/mailman_2.1.5-5.dsc
mailman_2.1.5-5_i386.deb
to pool/main/m/mailman/mailman_2.1.5-5_i386.deb
mailman_2.1.5.orig.tar.gz
to pool/main/m/mailman/mailman_2.1.5.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tollef Fog Heen <[EMAIL PROTECTED]> (supplier of updated mailman package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 10 Jan 2005 17:12:58 +0100
Source: mailman
Binary: mailman
Architecture: source i386
Version: 2.1.5-5
Distribution: unstable
Urgency: high
Maintainer: Tollef Fog Heen <[EMAIL PROTECTED]>
Changed-By: Tollef Fog Heen <[EMAIL PROTECTED]>
Description:
mailman - Powerful, web-based mailing list manager
Closes: 280529 284771 285839 286796 287555
Changes:
mailman (2.1.5-5) unstable; urgency=high
.
* Fix CAN-2004-1143 (weak auto-generated passwords) by pulling the
appropriate CVS change from upstream. Thanks to Florian Weimer for
finding and producing a patch for this bug. (closes: #286796)
* Fix CAN-2004-1177 (CSS problem in scripts/driver) by pulling the
appropriate patch from upstream CVS. Thanks to Florian Weimer for
discovering and producing a patch for this bug. (closes: #287555)
* Handle the case of upgrading from Mailman 2.0 where we have
pending subscriptions. This should hopefully fix #280529. Thanks to
Bastian Kleinedam for the patch. (closes: #280529)
* Skip directories when updating templates, to make the life easier for
people who have their configuration in Subversion or Arch.
(closes: #284771)
* Remove 55_options_traceback.dpatch as this problem seems to have been
fixed upstream and it causes other problems. (closes: #285839)
Files:
211e90f80573d909d805e2b9d40dd21e 640 mail optional mailman_2.1.5-5.dsc
f5f56f04747cd4aff67427e7a45631af 5745912 mail optional
mailman_2.1.5.orig.tar.gz
7c0131c39ae93621120673b94cde9be7 174358 mail optional mailman_2.1.5-5.diff.gz
997fd482d1a92d751c132a449d150fc9 6607802 mail optional mailman_2.1.5-5_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB55BlQSseMYF6mWoRAkzVAKDa2oVG7RsLLZ/P2rUFQj2pkporAwCaA+t/
6oqxdXJcck5pDz8V85oMpPw=
=af3J
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
