epic #5003 Mailman investigations

story #5002 spike mailman

Artifact

Summary

As a

Site admin

I want to *

spike mailman

So thatEmpty

Acceptance criteria

-> Version 2.1.16 of mailman (diff security patch with 2.1.9 of redhat)
-> Evaluation of a hard limit of subscribers number on the both versions
-> (sla #4936) find another way than sending a clear password by mail (both versions)

Attachments

By Manuel Vacelet (vaceletm)

(798 B)

mailman.patch

Sample on how to count

CC listEmpty

Status

CategoryEmpty

StatusDone

Development

Checklist

[ ] Does it involves User Interface?
[ ] Are there any mockups?
[ ] Are permissions checked?
[ ] Does it need Javascript development?
[ ] Does it need a forge upgrade bucket?
[ ] Does it need to execute things in system events?
[ ] Does it impact project creation (templates)?
[ ] Is it exploratory?

Technical informations

Findings:

As for mailman-2.1.9 it seems that management of subscribe through the Web interface is done L1320 of Mailman/Cgi/admin.py
See attached patch

Questions:
- Is that Ok if we only limit subscribing by admin (mean people can register themselves by mail and by pass the limit) ?

Upgrade of mailman (latest stable release 2.1.15):
* XSS security flaws reported until mailman 2.1.15 (CVE-2011-0707) are already backported on RHEL mailman (2.1.9-6)
* 2.1.15 contains some enhancements that strength the application against CSRF attacks (even if no vulnerabilities were reported)
* 2.1.15 adds some other patches and behaviours that are not of top interest in our context (mainly list behaviours that were hardcoded that have now configuration options)

The latest mailman-tuleap (2.1.9-7.1) package already includes the security fixes that are relevant from 2.1.15

Moving to 2.1.15 would mean:
- Rebuilding package (re-apply all RHEL patches, the 17 of them)
- Upgrade all existing lists
- Having an unsupported and never tested in PROD condition package.

=> We do not recommend to move to 2.1.15.

Details

Artifact ID#5002

Submitted ByMartin GOYOT (goyotm)

Last Modified On2013-09-25 11:48

Submitted On2013-09-16 11:53

Rank3121

Permissions

Restrict access to this artifact for the following user groups:

References

Is related to

Artifact links

Reverse artifact links

Releases

Epics

Parent

Artifact ID	Project	Tracker	Summary	Status	Last Update Date	Submitted By	Assigned to
epic #5003	Tuleap	Epics	Mailman investigations	Closed	2013-12-03 16:14	Martin GOYOT (goyotm)

Cross References

Referencing story #5002

Artifact Tracker v5

rel #4931 6.6

epic #5003 Mailman investigations

Show items referenced by story #5002

Referenced by story #5002

Artifact

Follow-ups

Tracker Workflow Manager (forge__tracker_workflow_manager)

2013-09-25 11:48

Automatic change triggered by an update of art #5173.

Current artifact children satisfy the following condition(s):

all of Tasks Status are set to Done

Status changed from On going to Done
Category set to

Manuel Vacelet (vaceletm)

2013-09-24 17:22

Status changed from Done to On going

Manuel Vacelet (vaceletm)

2013-09-24 17:21

Is related to
- Added:

Manuel Vacelet (vaceletm)

2013-09-24 17:21

Is related to
- Added:

Manuel Vacelet (vaceletm)

2013-09-24 17:21

Attachments mailman.patch added
Technical informations

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Tracker Workflow Manager (forge__tracker_workflow_manager)

2013-09-24 17:19

Automatic change triggered by an update of art #5004.

Current artifact children satisfy the following condition(s):

all of Tasks Status are set to Done

Status changed from On going to Done

Manuel Vacelet (vaceletm)

2013-09-24 16:54

Technical informations

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Manuel Vacelet (vaceletm)

2013-09-24 16:44

Technical informations

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Manuel Vacelet (vaceletm)

2013-09-24 16:02

Technical informations

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Manuel Vacelet (vaceletm)

2013-09-23 18:41

Technical informations

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Tracker Workflow Manager (forge__tracker_workflow_manager)

2013-09-23 18:37

Automatic change triggered by an update of art #5005.

Current artifact children satisfy the following condition(s):

at least one Tasks Status equals On going

Status changed from Ready (stalled) to On going

Manuel Vacelet (vaceletm)

2013-09-23 18:32

There is no ways to avoid mailman sending mail in plain text.
However, as already stated in corresponding SLA we can reduce the frequency they are sent:

For all recent (the lists created the 3 last years) mailing list this should already be disabled.

You can check it by running (as mailman or root):
/usr/lib/mailman/bin/list_lists -b | while read list; do /usr/lib/mailman/bin/config_list -o - $list | grep "send_reminders = 1" 2>&1 >/dev/null && echo "$list send monthly reminder"; done

Then you can force disabling with:
#1 set "send_reminders = 0" into a file 'disable_reminder.cfg'
#2 run /usr/lib/mailman/bin/config_list -i disable_reminder.cfg LISTNAME
for each list you want to update
#3 restart mailman: service mailman restart