[Mailman-Developers] Re: Mailman 2.1.31 security release - issues and questions

2020-05-05 Thread Mark Sapiro 
On 5/5/20 4:11 PM, Matthias Andree wrote:
> 
> My build was also using Mailman's bin/msgfmt.py - it was using relative
> paths,
> I am pasting its failing command line again for your convenience:
> 
>> /usr/local/bin/python2.7 ../build/bin/msgfmt.py -o
>> es/LC_MESSAGES/mailman.mo es/LC_MESSAGES/mailman.po


Yes, I see that I must have somehow just overlooked the error.

In any case, it's fixed now. Thanks again for reporting these things.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
___
Mailman-Developers mailing list -- mailman-developers@python.org
To unsubscribe send an email to mailman-developers-le...@python.org
https://mail.python.org/mailman3/lists/mailman-developers.python.org/
Mailman FAQ: https://wiki.list.org/x/AgA3

Security Policy: https://wiki.list.org/x/QIA9

[Mailman-Developers] Re: Mailman 2.1.31 security release - issues and questions

2020-05-05 Thread Matthias Andree 
Am 05.05.20 um 20:54 schrieb Mark Sapiro:
> On 5/5/20 11:09 AM, Matthias Andree wrote:
>> Greetings,
>>
>> I am the packager of Mailman 2.x for FreeBSD and am reporting two issues
>> and have two questions:
>>
>> I1: It would seem the Spanish translation has regressed with 2.1.31,
>> and fails to build on FreeBSD 12.1:
>>
> ...
>
>>>   File "", line 1
>>> " direcci�n de rebote cuando se usa "responder a 
>>> todos"), as� que puede ser \n"
>>>  ^
>>> SyntaxError: invalid syntax
>>> *** Error code 1 (ignored)
>> There should be \" around 'responder a todos', not simple ".
>> Future releases should test build the translations. (Am doing that in
>> FreeBSD.)
>
> Thank you for the report. I actually did compile this message catalog,
> but with Mailman's bin/msgfmt.py which didn't catch this error.

Mark,

My build was also using Mailman's bin/msgfmt.py - it was using relative
paths,
I am pasting its failing command line again for your convenience:

> /usr/local/bin/python2.7 ../build/bin/msgfmt.py -o
> es/LC_MESSAGES/mailman.mo es/LC_MESSAGES/mailman.po

> I'm going to fix all the above and release 2.1.32 later today.
(which I see is out)
> The reporter told me he requested a CVE ID, but hasn't given it to me. I
> searched Mitre, but if there is a placeholder ID, I wouldn't find it anyway.

Thank you. Found revision 1814.

Regards,
Matthias

___
Mailman-Developers mailing list -- mailman-developers@python.org
To unsubscribe send an email to mailman-developers-le...@python.org
https://mail.python.org/mailman3/lists/mailman-developers.python.org/
Mailman FAQ: https://wiki.list.org/x/AgA3

Security Policy: https://wiki.list.org/x/QIA9

[Mailman-Developers] Re: Mailman 2.1.31 security release

2020-05-05 Thread Mark Sapiro 
There were some i18n issues in this morning's Mailman 2.1.31 release so
I have released Mailman 2.1.32 to fix these.

Python 2.6 is the minimum supported, but Python 2.7, preferably 2.7.18 -
the final Python 2 release, is strongly recommended.

Mailman 2.1.31 is a security fix release with an update to the Spanish
translation and another couple of minor fixes. See the attached
README.txt and the bug report at
 for details.

For those who don't want to install the full update, the above bug
report contains a simple patch to fix the security issue.

As noted Mailman 2.1.30 was the last feature release of the Mailman 2.1
branch from the GNU Mailman project. There has been some discussion as
to what this means. It means there will be no more releases from the GNU
Mailman project containing any new features. There may be future patch
releases to address the following:
 - i18n updates.
 - security issues.
 - bugs affecting operation for which no satisfactory workaround exists.

Mailman 2.1.31 is the first such patch release and Mailman 2.1.32 is the
second.

Mailman is free software for managing email mailing lists and
e-newsletters. Mailman is used for all the python.org and
SourceForge.net mailing lists, as well as at hundreds of other sites.

For more information, please see our web site at one of:

http://www.list.org
https://www.gnu.org/software/mailman
http://mailman.sourceforge.net/

Mailman 2.1.32 can be downloaded from

https://launchpad.net/mailman/2.1/
https://ftp.gnu.org/gnu/mailman/
https://sourceforge.net/projects/mailman/

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
2.1.32 (05-May-2020)

  i18n

Fixed a typo in the Spanish translation and updated mailman.pot and
the message catalog for 2.1.31 security fix.

2.1.31 (05-May-2020)

  Security

- A content injection vulnerability via the options login page has been
  discovered and reported by Vishal Singh. This is fixed.  (LP: #1873722)

  i18n

- The Spanish translation has been updated by Omar Walid Llorente.

  Bug Fixes and other patches

- Bounce recognition for a non-compliant Yahoo format is added.

- Archiving workaround for non-ascii in string.lowercase in some Python
  packages is added.


signature.asc
Description: OpenPGP digital signature
___
Mailman-Developers mailing list -- mailman-developers@python.org
To unsubscribe send an email to mailman-developers-le...@python.org
https://mail.python.org/mailman3/lists/mailman-developers.python.org/
Mailman FAQ: https://wiki.list.org/x/AgA3

Security Policy: https://wiki.list.org/x/QIA9

[Mailman-Developers] Re: Mailman 2.1.31 security release - issues and questions

2020-05-05 Thread Mark Sapiro 
On 5/5/20 11:09 AM, Matthias Andree wrote:
> Greetings,
> 
> I am the packager of Mailman 2.x for FreeBSD and am reporting two issues
> and have two questions:
> 
> I1: It would seem the Spanish translation has regressed with 2.1.31,
> and fails to build on FreeBSD 12.1:
> 
...

>>   File "", line 1
>> " direcci�n de rebote cuando se usa "responder a 
>> todos"), as� que puede ser \n"
>>  ^
>> SyntaxError: invalid syntax
>> *** Error code 1 (ignored)
> 
> There should be \" around 'responder a todos', not simple ".
> Future releases should test build the translations. (Am doing that in
> FreeBSD.)


Thank you for the report. I actually did compile this message catalog,
but with Mailman's bin/msgfmt.py which didn't catch this error.


> I2: Then, none of the mailman.po files was updated for the security fix,
> and in FreeBSD, I am using sed for a machine edit, where WRKSRC is the
> directory that the code is unpacked into (including the mailman-2.1.*
> prefix/), and sed -E switches to modern regexps:
> 
>> sed -E -e '/Illegal Email Address:/,+1s/ *. %\(safeuser\)s//' \
>> ${WRKSRC}/messages/*/LC_MESSAGES/mailman.po


My bad for not updating mailman.pot and making the subsequent changes.

I'm going to fix all the above and release 2.1.32 later today.


> Q1: how about the htdig patches? 1813 does not seem to be on par with
> 2.1.31. I am using the 2.1.30 patches (version 1812) for now.


I'll get to it.


> Q2: Is the CVE from 2018 going to be used for this vuln or will there be
> a new CVE number assigned?


The reporter told me he requested a CVE ID, but hasn't given it to me. I
searched Mitre, but if there is a placeholder ID, I wouldn't find it anyway.


-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
___
Mailman-Developers mailing list -- mailman-developers@python.org
To unsubscribe send an email to mailman-developers-le...@python.org
https://mail.python.org/mailman3/lists/mailman-developers.python.org/
Mailman FAQ: https://wiki.list.org/x/AgA3

Security Policy: https://wiki.list.org/x/QIA9

[Mailman-Developers] Re: Mailman 2.1.31 security release - issues and questions

2020-05-05 Thread Matthias Andree 
Greetings,

I am the packager of Mailman 2.x for FreeBSD and am reporting two issues
and have two questions:

I1: It would seem the Spanish translation has regressed with 2.1.31,
and fails to build on FreeBSD 12.1:

> /usr/local/bin/python2.7 ../build/bin/msgfmt.py -o es/LC_MESSAGES/mailman.mo 
> es/LC_MESSAGES/mailman.po
> Traceback (most recent call last):
>   File "../build/bin/msgfmt.py", line 203, in 
> main()
>   File "../build/bin/msgfmt.py", line 199, in main
> make(filename, outfile)
>   File "../build/bin/msgfmt.py", line 151, in make
> l = eval(l)
>   File "", line 1
> " direcci�n de rebote cuando se usa "responder a todos"), 
> as� que puede ser \n"
>  ^
> SyntaxError: invalid syntax
> *** Error code 1 (ignored)

There should be \" around 'responder a todos', not simple ".
Future releases should test build the translations. (Am doing that in
FreeBSD.)


I2: Then, none of the mailman.po files was updated for the security fix,
and in FreeBSD, I am using sed for a machine edit, where WRKSRC is the
directory that the code is unpacked into (including the mailman-2.1.*
prefix/), and sed -E switches to modern regexps:

> sed -E -e '/Illegal Email Address:/,+1s/ *. %\(safeuser\)s//' \
> ${WRKSRC}/messages/*/LC_MESSAGES/mailman.po

Q1: how about the htdig patches? 1813 does not seem to be on par with
2.1.31. I am using the 2.1.30 patches (version 1812) for now.

Q2: Is the CVE from 2018 going to be used for this vuln or will there be
a new CVE number assigned?

Thanks.

Regards,
Matthias
___
Mailman-Developers mailing list -- mailman-developers@python.org
To unsubscribe send an email to mailman-developers-le...@python.org
https://mail.python.org/mailman3/lists/mailman-developers.python.org/
Mailman FAQ: https://wiki.list.org/x/AgA3

Security Policy: https://wiki.list.org/x/QIA9

[Mailman-Developers] Re: Mailman 2.1.31 security release

2020-05-05 Thread Mark Sapiro 
On 5/5/20 9:01 AM, Mark Sapiro wrote:
> 
> Python 2.6 is the minimum supported, but Python 2.7, preferably 2.7.17 -
> the final Python 2 release, is strongly recommended.

It has been brought to my attention that the final Python 2 release is
2.7.18, released April 20, 2020, and that is what is recommended.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan



signature.asc
Description: OpenPGP digital signature
___
Mailman-Developers mailing list -- mailman-developers@python.org
To unsubscribe send an email to mailman-developers-le...@python.org
https://mail.python.org/mailman3/lists/mailman-developers.python.org/
Mailman FAQ: https://wiki.list.org/x/AgA3

Security Policy: https://wiki.list.org/x/QIA9