[Bug 1803838] Re: Mailman Upgrade to 2.1.29 - Ubuntu 16.04
Hello, we're currently tracking two CVEs in mailman: https://people.canonical.com/~ubuntu-security/cve/pkg/mailman.html https://people.canonical.com/~ubuntu-security/cve/CVE-2018-0618 https://people.canonical.com/~ubuntu-security/cve/CVE-2018-13796 We've prioritized both these issues as 'low', which means we won't be releasing fixes for these issues alone, but will bundle fixes for these issues with the next issue we prioritize as 'medium' or higher. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803838 Title: Mailman Upgrade to 2.1.29 - Ubuntu 16.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mailman/+bug/1803838/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803838] Re: Mailman Upgrade to 2.1.29 - Ubuntu 16.04
Great Paride, thanks. Let's see how it evolves and hopefully it gets an upgrade knowing the existing security issues to be applied and taking in consideration the LTS status of 16.04 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803838 Title: Mailman Upgrade to 2.1.29 - Ubuntu 16.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mailman/+bug/1803838/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803838] Re: Mailman Upgrade to 2.1.29 - Ubuntu 16.04
I reverted the bug status to what is was until 2019-05-17, I think the changes were not wanted. Please note that the bug was not assigned to anybody even before. The latest valid update to this bug is message #8 from Robie Basak. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803838 Title: Mailman Upgrade to 2.1.29 - Ubuntu 16.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mailman/+bug/1803838/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803838] Re: Mailman Upgrade to 2.1.29 - Ubuntu 16.04
** Changed in: mailman (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803838 Title: Mailman Upgrade to 2.1.29 - Ubuntu 16.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mailman/+bug/1803838/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803838] Re: Mailman Upgrade to 2.1.29 - Ubuntu 16.04
May I know why this was moved to Status incomplete e assigned to nobody ? The issue reported continues, so the bug fixes between 2.1.20 and 2.1.29 still exists and the rationale is to keep them there until someone can report that have been victim of an exploit ? What is the sense of doing that knowing there are fixes publicized and available ? The argument the newer software versions are applied to newer releases doesn't make sense. We are talking about a LTS version. And we are even not talking about a major software version upgrade. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803838 Title: Mailman Upgrade to 2.1.29 - Ubuntu 16.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mailman/+bug/1803838/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803838] Re: Mailman Upgrade to 2.1.29 - Ubuntu 16.04
** Changed in: mailman (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803838 Title: Mailman Upgrade to 2.1.29 - Ubuntu 16.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mailman/+bug/1803838/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803838] Re: Mailman Upgrade to 2.1.29 - Ubuntu 16.04
> given that the most appropriate is a version upgrade Not necessarily. The most appropriate approach to take will be decided between Ubuntu developers, the security team, the stable release updates team and anyone else actually doing the work. > as there are known pending security fixes Security fixes are usually cherry-picked. Note that the two outstanding CVEs have been determined to be of low severity by the security team. > Perhaps it just speeds up things if I understand correctly. Not really, but what we do, how we approach it and how we prioritise it differ depending on the actual issues that need to be addressed, so we need to be told what the actual problems are that are being reported. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803838 Title: Mailman Upgrade to 2.1.29 - Ubuntu 16.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mailman/+bug/1803838/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803838] Re: Mailman Upgrade to 2.1.29 - Ubuntu 16.04
Yeah, given that the most appropriate is a version upgrade, but I find a bit strange have to report a individual issue in order for that to happen as there are known pending security fixes. Perhaps it just speeds up things if I understand correctly. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803838 Title: Mailman Upgrade to 2.1.29 - Ubuntu 16.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mailman/+bug/1803838/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803838] Re: Mailman Upgrade to 2.1.29 - Ubuntu 16.04
Current state of mailman in the Security Team's CVE tracker: http://people.canonical.com/~ubuntu-security/cve/pkg/mailman.html At the moment, these are in a needs-triage state: CVE-2018-0618 and CVE-2018-13796 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-0618 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-13796 -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to mailman in Ubuntu. https://bugs.launchpad.net/bugs/1803838 Title: Mailman Upgrade to 2.1.29 - Ubuntu 16.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mailman/+bug/1803838/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1803838] Re: Mailman Upgrade to 2.1.29 - Ubuntu 16.04
A "blanket" bug like this, requesting a big upgrade, is unlikely to be resolved. I think it's best to highlight a specific issue in a specific bug report, even if you end up with multiple reports. Then someone working on it can decide whether it's best to backport a fix, or upgrade the version. Usually the former is better, specially considering xenial is an LTS release. -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to mailman in Ubuntu. https://bugs.launchpad.net/bugs/1803838 Title: Mailman Upgrade to 2.1.29 - Ubuntu 16.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mailman/+bug/1803838/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1803838] Re: Mailman Upgrade to 2.1.29 - Ubuntu 16.04
Current state of mailman in the Security Team's CVE tracker: http://people.canonical.com/~ubuntu-security/cve/pkg/mailman.html At the moment, these are in a needs-triage state: CVE-2018-0618 and CVE-2018-13796 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-0618 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-13796 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803838 Title: Mailman Upgrade to 2.1.29 - Ubuntu 16.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mailman/+bug/1803838/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803838] Re: Mailman Upgrade to 2.1.29 - Ubuntu 16.04
A "blanket" bug like this, requesting a big upgrade, is unlikely to be resolved. I think it's best to highlight a specific issue in a specific bug report, even if you end up with multiple reports. Then someone working on it can decide whether it's best to backport a fix, or upgrade the version. Usually the former is better, specially considering xenial is an LTS release. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803838 Title: Mailman Upgrade to 2.1.29 - Ubuntu 16.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mailman/+bug/1803838/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803838] Re: Mailman Upgrade to 2.1.29 - Ubuntu 16.04
Hello Hans. Thanks for the update. I guess that would be the case maybe for Mailman 3.0 for example but in the case we are talking about there are several security fixes that are related on the changelog from version 2.1.20 to 2.1.29. I believe the security issues that have been fixed on 2.1.20-1ubuntu0.3 are fixes that were made available until that version on the source code, so to the current latest version there are new pending bug and security fixes to be applied to the package available in the package manager. I don't think pushing a release upgrade is the best approach for a case like this as it doesn't take any backports as necessary or anything that is rather complex like a kernel dependency to be done or that involves other details. There are plenty of reasons to keep running a LTS version with the latest bug and security fixes applied to certain packages until is possible to do a release upgrade. It seems the backport would not be the case for this one as well. Thanks for the tips about bug reporting. I tried to mark the proper package affected but it seems it didn't work. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803838 Title: Mailman Upgrade to 2.1.29 - Ubuntu 16.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mailman/+bug/1803838/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803838] Re: Mailman Upgrade to 2.1.29 - Ubuntu 16.04
Thanks for reporting. Ubuntu is not a rolling release, so package versions are usually not updated from the one initially provided in a certain Ubuntu release. Newer versions of packages are added to newer Ubuntu releases. There are a couple of exceptions. The first one is major bugs or security issues where the issue is fixed by applying a patch for that specific issue in the form of a Stable Release Upgrade ( https://wiki.ubuntu.com/StableReleaseUpdates#Procedure). As you can see from https://launchpad.net/ubuntu/+source/mailman, for 16.04 a couple of security issues seems to have been fixed in 1:2.1.20-1ubuntu0.3. The second case is offering a newer version of the package in the backports pocket, which makes a newer version of a package optionally available and installable on an older Ubuntu release. See https://wiki.ubuntu.com/UbuntuBackports#Requesting_a_Backport for details on how to request a backport. When reporting bugs in the future please use apport by using 'ubuntu- bug' and the name of the package affected. This will mark the correct package as affected and automatically add other relevant information such as version numbers. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803838 Title: Mailman Upgrade to 2.1.29 - Ubuntu 16.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mailman/+bug/1803838/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803838] Re: Mailman Upgrade to 2.1.29 - Ubuntu 16.04
** Package changed: ubuntu => mailman (Ubuntu) ** Tags added: xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803838 Title: Mailman Upgrade to 2.1.29 - Ubuntu 16.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mailman/+bug/1803838/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803838] Re: Mailman Upgrade to 2.1.29 - Ubuntu 16.04
There's also the new Mailman PPA: https://launchpad.net/~mailman-administrivia/+archive/ubuntu/ppa -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803838 Title: Mailman Upgrade to 2.1.29 - Ubuntu 16.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1803838/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1803838] Re: Mailman Upgrade to 2.1.29 - Ubuntu 16.04
If you want to upgrade the Ubuntu 16.04 package from source, see https://wiki.list.org/x/17891606. ** Also affects: ubuntu Importance: Undecided Status: New ** No longer affects: mailman -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803838 Title: Mailman Upgrade to 2.1.29 - Ubuntu 16.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1803838/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
