[Pkg-mailman-hackers] Bug#669813: Debian bug: mailman: Re: Archives not-->now working (need Require all granted in <Directory /var/lib/mailman/archives/public/>)

Michael Paoli Michael.Paoli at cal.berkeley.edu
Tue Jul 11 14:23:01 UTC 2017


Most relevant bit found among Debian bugs:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=669813#36
The new apache security model requires adding this to the
Directory stanza for mailman:
              Require all granted

But that's not particularly detailed, most notably omits
mention of
/etc/mailman/apache.conf
and the
<Directory /var/lib/mailman/archives/public/>
section within.

Recommended to (mostly) fix mailman 1:2.1.18-2+deb8u1 amd64:

$ diff -U 5 etc/mailman/apache.conf.bug_669813 etc/mailman/apache.conf
--- etc/mailman/apache.conf.bug_669813  2016-09-14 23:05:02.000000000 -0700
+++ etc/mailman/apache.conf     2017-07-11 07:01:29.116879436 -0700
@@ -26,10 +26,11 @@
  <Directory /var/lib/mailman/archives/public/>
      Options FollowSymlinks
      AllowOverride None
      Order allow,deny
      Allow from all
+    Require all granted
  </Directory>
  <Directory /usr/share/images/mailman/>
      AllowOverride None
      Order allow,deny
      Allow from all
$

At least that's the case for Jessie (presently oldstable)
(
Debian GNU/Linux 8.8 (jessie) x86_64
mailman 1:2.1.18-2+deb8u1 amd64
apache2 2.4.10-10+deb8u9 amd64
)

I haven't (at least yet) checked to see if there's patch applied
yet for newer than mailman 1:2.1.18-2+deb8u1 amd64 that may cover
that fix.

In the meantime, for work-around for at least those versions,
in Apache configuration, in addition to (which I added):
Include ../mailman/apache.conf
(or
Include /etc/mailman/apache.conf
or equivalent
)
also add (and if the above is used via Include, use this *after* the above):
<Directory /var/lib/mailman/archives/public/>
     Options FollowSymlinks
     AllowOverride None
     Order allow,deny
     Allow from all
     Require all granted
</Directory>

> From: "Michael Paoli" <Michael.Paoli at cal.berkeley.edu>
> Subject: Archives now working: BALUG-Test list
> Date: Tue, 11 Jul 2017 00:36:28 -0700

> Archives are now working.
> Relevant bit ... I ought (when I get around to it) check if there's
> bug filed (it may already be fixed even - but not yet to stable).

> The missing bit ... I'd (rather than redundantly copied/maintain) used:
> (relative to /etc/apache2):
> Include ../mailman/apache.conf
> in file sites-available/Include/temp.balug.org
> that was almost all well fine and good (I'd reviewed
> ./mailman/apache.conf earlier).  But it left out one key needed bit,
> it has:
> <Directory /var/lib/mailman/archives/public/>
>     Options FollowSymlinks
>     AllowOverride None
>     Order allow,deny
>     Allow from all
> </Directory>
> but needs:
> <Directory /var/lib/mailman/archives/public/>
>     Options FollowSymlinks
>     AllowOverride None
>     Order allow,deny
>     Allow from all
>     Require all granted
> </Directory>
> My relatively simple fix,
> add to file
> sites-available/Include/temp.balug.org
> <Directory /var/lib/mailman/archives/public/>
>     Options FollowSymlinks
>     AllowOverride None
>     Order allow,deny
>     Allow from all
>     Require all granted
> </Directory>
> after:
> Include ../mailman/apache.conf
> ... Apache doesn't seem to care about the same
> <Directory /var/lib/mailman/archives/public/>
> appearing twice, and seems in that case to just use the latter fine,

> So ... /etc/mailman/apache.conf
> should have included but failed to include, in it's section:
> <Directory /var/lib/mailman/archives/public/>
> the line:
>     Require all granted
> So ... I think I'd call that a "bug" - even if it's documentation
> errata.  Might be a Debian specific patch needed, as other
> distributions and/or Apache may have different defaults on
> that security.

https://temp.balug.org/pipermail/balug-test/2017-July/000004.html
temp.balug.org will in future be moved to lists.balug.org, so that
will become:
https://lists.balug.org/pipermail/balug-test/2017-July/000004.html



More information about the Pkg-mailman-hackers mailing list