2.1.4 allows 3rd parties to obtain member passwords. Also 2.1.5 has many performance enhancements. Reproducible: Always Steps to Reproduce: 1. 2. 3.
I tried just renaming the ebuild to 2.1.5 - and it compiles fine - and installs "almost"-fine.. I get this error: [SNIP] gunzip -c ./$p.tar.gz | (cd . ; tar xf -); \ (cd ./$p ; umask 02 ; PYTHONPATH=/var/tmp/portage/mailman-2.1.5/image//usr/local/mailman/pythonlib /usr/bin/python setup.py --quiet install --install-lib /var/tmp/portage/mailman-2.1.5/image//usr/local/mailman/pythonlib --install-purelib /var/tmp/portage/mailman-2.1.5/image//usr/local/mailman/pythonlib --install-data /var/tmp/portage/mailman-2.1.5/image//usr/local/mailman/pythonlib); \ done <command line>:1:15: missing terminating " character <command line>:1:18: missing terminating " character <command line>:1:18: missing terminating " character <command line>:1:17: missing terminating " character <command line>:1:20: missing terminating " character error: command 'gcc' failed with exit status 1 <command line>:1:15: missing terminating " character <command line>:1:18: missing terminating " character <command line>:1:18: missing terminating " character <command line>:1:17: missing terminating " character <command line>:1:20: missing terminating " character error: command 'gcc' failed with exit status 1 make[1]: *** [install-packages] Error 1 make[1]: Leaving directory `/var/tmp/portage/mailman-2.1.5/work/mailman-2.1.5/misc' [SNIP] I don't remember if the same problem was in 2.1.4 - but 2.1.5 still seems to work just fine, anyways ( I probably just haven't found the place this breaks?). I've tried to subscribe/unsubscribe to my newslist - haven't tried to send out yet.
Confirmed, from : http://mail.python.org/pipermail/mailman-announce/2004-May/000072.html "This version also contains a fix for an exploit that could allow 3rd parties to retrieve member passwords." net-mail : please bump mailman to 2.1.5
*** Bug 52043 has been marked as a duplicate of this bug. ***
Martin: apparently you did a lot of maintenance work on this ebuild, could you bump it ? We had no feedback from the net-mail team...
Created attachment 32239 [details] new version fixing security issue Modified the ebuild by : - fixing the apache2 entries - made python-2.3.3 mandatory to compile on dependencies Steph
Looking at the submitted ebuild, I think it drops Apache1 compatibility. I checked a simple ebuild bump and it works perfectly... I don't have the problems Klavs described. I propose to put a bump ebuild as ~ for testing.
It's probably my python version (2.2.3) then. Anyhow it works fine - except for the danish translation - which makes it barf - I have submitted a bugreport on that -with all info - incl. python version.
Installs fine for me with the latest stable Python (2.3.3 I believe).
Created attachment 32372 [details] mailman-2.1.5.ebuild OK so a bumped version is fine. We should probably change the Python DEPEND to ">=dev-lang/python-2.3" as this seems to be required for proper install. Proposed ebuild is attached. net-mail : we really need someone to bump this, and the security team will do it by itself if you don't.
plasmaroo did the bump in portage, but without proper means to test, the ebuild has no KEYWORDS yet. We know it compiles and installs fine on x86, and had a somewhat positive usage report from the reporter. Arches : please test and mark net-mail/mailman-2.1.5 ~ and/or stable. We need at least "x86 ~ppc sparc" for the GLSA, which is already overdue.
sorry for delay just commited some correction to ebuild mailman-2.1.5 works fine here
Martin, what MTA are you using with mailman? I have a fresh install of mailman here with sendmail and any messages sent to the default mailman list get returned because the mailman script thinks it is getting run with a group of daemon instead of the prefered mail.
i'm using sendmail and have to override MAILGID="280" with MAILGID="2" postfix need 65534 afaik and smrsh need and other GID how about qmail ?
x86, sparc : please test and mark stable the latest ebuild...
Stable on sparc.
Martin -- Is this OK to mark stable on x86?
This security bug is overdue. x86 -- please test and mark stable ASAP. Thanks.
sorry for delay, x86 is now stable in cvs
glsa 200406-04
resolved?
Yes - Mailman 2.1.5 is the only one in the tree - and it is fixed in that. It is already marked as "RESOLVED FIXED" though.
