Re: MailMan Security patch for Woody Broken?
* Matt Zimmerman
| If that is the only issue, then it is a simple matter to prepare fixed
| packages which use string.lower('string') rather than 'string'.lower(),
| which should work with both python 1.5 and python 2.x. Please let me know
| as soon as you are able to test this.
Fixed in proposed-updates now.
--
Tollef Fog Heen,''`.
UNIX is user friendly, it's just picky about who its friends are : :' :
`. `'
`-
Re: MailMan Security patch for Woody Broken?
In message <[EMAIL PROTECTED]>, Matt Zimmerman writes:
>
>If that is the only issue, then it is a simple matter to prepare fixed
>packages which use string.lower('string') rather than 'string'.lower(),
>which should work with both python 1.5 and python 2.x. Please let me know
>as soon as you are able to test this.
>
Unfortunately I will be away from home all next week. I will not be able to
look at this again till the week after next (commencing 26/8/2002).
I will contact you then.
--
David
Re: MailMan Security patch for Woody Broken?
Matt Zimmerman <[EMAIL PROTECTED]> wrote: > Python 1.5.2 (#0, Jan 13 2002, 13:19:04) [GCC 2.95.4 20011223 (Debian > prerelease)] on linux2 > Copyright 1991-1995 Stichting Mathematisch Centrum, Amsterdam > >>> ''.lower() > Traceback (innermost last): > File "", line 1, in ? > AttributeError: 'string' object has no attribute 'lower' Good shot, but the latest mailman in woody (2.0.11-1woody2) depends on python and python depends on python2.1 (>= 2.1.3-1), so I think there is something weird here. I'm bringing this discussion on debian-python. Please drop debian-devel on followups. -- Florent
Re: MailMan Security patch for Woody Broken?
On Thu, Aug 15, 2002 at 06:13:37PM +1000, David Fisher wrote:
> In message <[EMAIL PROTECTED]>, Matt Zimmerman writes:
> >
> >precedence = ''
> >
> >does it fix the problem?
>
> I'll try that and report back when I get time to, which is very scarce at the
> moment. Thanks for your reply.
If that is the only issue, then it is a simple matter to prepare fixed
packages which use string.lower('string') rather than 'string'.lower(),
which should work with both python 1.5 and python 2.x. Please let me know
as soon as you are able to test this.
--
- mdz
Re: MailMan Security patch for Woody Broken?
On Wed, Aug 14, 2002 at 04:57:33PM +0200, Florent Rougon wrote:
> I can't look at mailman right now, but some observations that might
> help:
>
> - with python 2.1:
>
> >>> 'barstring'.foo()
> Traceback (most recent call last):
> File "", line 1, in ?
> AttributeError: foo
>
> - with python 2.2
>
> >>> "barstring".foo()
> Traceback (most recent call last):
> File "", line 1, in ?
> AttributeError: 'str' object has no attribute 'foo'
>
> which is closer to the David's error message, *but* has 'str' instead
> of 'string'. BTW:
>
> >>> type("dfsfsd")
>
>
> I don't know where this 'string' comes from.
Python 1.5.2 (#0, Jan 13 2002, 13:19:04) [GCC 2.95.4 20011223 (Debian
prerelease)] on linux2
Copyright 1991-1995 Stichting Mathematisch Centrum, Amsterdam
>>> ''.lower()
Traceback (innermost last):
File "", line 1, in ?
AttributeError: 'string' object has no attribute 'lower'
--
- mdz
Re: MailMan Security patch for Woody Broken?
On 2002-08-14 (Wed) 11:23 David Fisher <[EMAIL PROTECTED]> wrote: > Aug 14 18:48:03 2002 qrunner(1300): AttributeError : 'string' object > has no attribute 'lower' > > Is anyone else having trouble since the new version was released? Yes, my colleague ran into the same problem. He figured out that recent mailman fix uses Python 2.x features. See bug #156642 for details. Gábor
Re: MailMan Security patch for Woody Broken?
Roland Bauerschmidt <[EMAIL PROTECTED]> wrote:
> > >>> type("dfsfsd")
> >
[...]
> Which Python version are you using?
This was typed under 2.2, as written in my mail.
> >>> type('foo')
>
> >>> type("foo")
>
Yes, this is what you get with 2.1. But David's exception traceback
looked more like what we get from 2.2 than from 2.1 and I didn't think
he could still be using 1.5...
--
Florent
Re: MailMan Security patch for Woody Broken?
In message <[EMAIL PROTECTED]>, Matt Zimmerman writes: > >This is certainly suspicious, since all Python 'string' objects are supposed >to have a 'lower()' method, as far as I know. > >But that line is one which was added in the security update. What version >of Python are you running? Python 1.5.2-18.4 If you change that line to: > >precedence = '' > >does it fix the problem? I'll try that and report back when I get time to, which is very scarce at the moment. Thanks for your reply. -- David
Re: MailMan Security patch for Woody Broken?
Florent Rougon wrote:
> >>> type("dfsfsd")
>
>
> I don't know where this 'string' comes from.
Which Python version are you using?
Python 2.1.3 (#1, Jul 29 2002, 22:34:51)
[GCC 2.95.4 20011002 (Debian prerelease)] on linux2
Type "copyright", "credits" or "license" for more information.
>>> type('foo')
>>> type("foo")
>>>
--
Roland Bauerschmidt
Re: MailMan Security patch for Woody Broken?
Hi,
Matt Zimmerman <[EMAIL PROTECTED]> wrote:
> > Aug 14 18:48:03 2002 qrunner(1300): AttributeError : 'string' object has
> > no
> > attribute 'lower'
>
> This is certainly suspicious, since all Python 'string' objects are supposed
> to have a 'lower()' method, as far as I know.
I can't look at mailman right now, but some observations that might
help:
- with python 2.1:
>>> 'barstring'.foo()
Traceback (most recent call last):
File "", line 1, in ?
AttributeError: foo
- with python 2.2
>>> "barstring".foo()
Traceback (most recent call last):
File "", line 1, in ?
AttributeError: 'str' object has no attribute 'foo'
which is closer to the David's error message, *but* has 'str' instead
of 'string'. BTW:
>>> type("dfsfsd")
I don't know where this 'string' comes from.
--
Florent
Re: MailMan Security patch for Woody Broken?
On Wed, Aug 14, 2002 at 07:23:05PM +1000, David Fisher wrote:
> I believe that the just released MailMan security fix for woody may be broken.
>
> I am running a Debian woody server which runs several MailMan lists which
> have been running sweetly until just recently. The only thing I can think of
> that has changed is that, like you do, I installed the recent MailMan
> security fix for woody that came out a cuppla days ago.
>
> Now, no messages are getting through. If I do a test subscribe from the web
> interface, I get the acknowledgement email asking for a reply but nothing
> comes back.
>
> A check in the logs reveals this suspicious tid-bit:
>
> Aug 14 18:48:03 2002 qrunner(1300): File "/usr/lib/mailman/Mailman/MailComma
> ndHandler.py", line 123, in ParseMailCommands
> Aug 14 18:48:03 2002 qrunner(1300): precedence = msg.get('precedence',
> '').lower()
> Aug 14 18:48:03 2002 qrunner(1300): AttributeError : 'string' object has no
> attribute 'lower'
This is certainly suspicious, since all Python 'string' objects are supposed
to have a 'lower()' method, as far as I know.
But that line is one which was added in the security update. What version
of Python are you running? If you change that line to:
precedence = ''
does it fix the problem?
--
- mdz
MailMan Security patch for Woody Broken?
Hi all,
I believe that the just released MailMan security fix for woody may be broken.
I am running a Debian woody server which runs several MailMan lists which
have been running sweetly until just recently. The only thing I can think of
that has changed is that, like you do, I installed the recent MailMan
security fix for woody that came out a cuppla days ago.
Now, no messages are getting through. If I do a test subscribe from the web
interface, I get the acknowledgement email asking for a reply but nothing
comes back.
A check in the logs reveals this suspicious tid-bit:
Aug 14 18:48:03 2002 qrunner(1300): File "/usr/lib/mailman/Mailman/MailComma
ndHandler.py", line 123, in ParseMailCommands
Aug 14 18:48:03 2002 qrunner(1300): precedence = msg.get('precedence',
'').lower()
Aug 14 18:48:03 2002 qrunner(1300): AttributeError : 'string' object has no
attribute 'lower'
Is anyone else having trouble since the new version was released?
--
David
