[Pkg-mailman-hackers] Bug#904680: Regression in security update deb8u3 - "We're sorry, we hit a bug!"

Hans van Kranenburg hans.van.kranenburg at mendix.com
Thu Jul 26 15:48:11 BST 2018 

Package: mailman
Version: 1:2.1.18-2+deb8u3

Hi, after applying the latest security update, the only thing mailman
does for me in the web interface is displaying the following:

---- >8 ----
Bug in Mailman version 2.1.18

We're sorry, we hit a bug!

Please inform the webmaster for this site of this problem. Printing of
traceback and other system information has been explicitly inhibited,
but the webmaster can find this information in the Mailman error logs.
---- >8 ----

/var/log/mailman/error contains (IP address / hostname removed):

---- >8 ----
admin(1087): [----- Mailman Version: 2.1.18 -----]
admin(1087): [----- Traceback ------]
admin(1087): Traceback (most recent call last):
admin(1087):   File "/var/lib/mailman/scripts/driver", line 117, in run_main
admin(1087):     main()
admin(1087):   File "/var/lib/mailman/Mailman/Cgi/listinfo.py", line 42,
in main
admin(1087):     parts = Utils.GetPathPieces()
admin(1087):   File "/var/lib/mailman/Mailman/Utils.py", line 272, in
GetPathPieces
admin(1087):     if len(pieces[0]) > longest:
admin(1087): IndexError: list index out of range
admin(1087): [----- Python Information -----]
admin(1087): sys.version     =   2.7.9 (default, Jun 29 2016, 13:08:31)
[GCC 4.9.2]
admin(1087): sys.executable  =   /usr/bin/python
admin(1087): sys.prefix      =   /usr
admin(1087): sys.exec_prefix =   /usr
admin(1087): sys.path        =   ['/var/lib/mailman/pythonlib',
'/var/lib/mailman', '/usr/lib/mailman/scripts', '/var/lib/mailman',
'/usr/lib/python2.7/', '/usr/lib/python2.7/plat-x86_64-linux-gnu',
'/usr/lib/python2.7/lib-tk', '/usr/lib/python2.7/lib-old',
'/usr/lib/python2.7/lib-dynload', '/usr/lib/python2.7/site-packages']
admin(1087): sys.platform    =   linux2
admin(1087): [----- Environment Variables -----]
admin(1087): 	REDIRECT_STATUS: 200
admin(1087): 	SERVER_SOFTWARE: nginx/1.10.3
admin(1087): 	SCRIPT_NAME: /mailman/listinfo
admin(1087): 	SHELL: /usr/sbin/nologin
admin(1087): 	REQUEST_METHOD: GET
admin(1087): 	LOGNAME: www-data
admin(1087): 	PATH_INFO: /
admin(1087): 	SERVER_PROTOCOL: HTTP/1.1
admin(1087): 	QUERY_STRING:
admin(1087): 	HOME: /var/www
admin(1087): 	CONTENT_LENGTH:
admin(1087): 	HTTP_USER_AGENT: Mozilla/5.0 (X11; Linux x86_64; rv:52.0)
Gecko/20100101 Firefox/52.0
admin(1087): 	HTTP_CONNECTION: keep-alive
admin(1087): 	SERVER_NAME: lists.example.com
admin(1087): 	REMOTE_PORT: 33536
admin(1087): 	SERVER_PORT: 443
admin(1087): 	SERVER_ADDR: a.b.c.d
admin(1087): 	DOCUMENT_ROOT: /usr/lib/cgi-bin
admin(1087): 	LANG: en_US.UTF-8
admin(1087): 	PYTHONPATH: /var/lib/mailman
admin(1087): 	SCRIPT_FILENAME: /usr/lib/cgi-bin/mailman/listinfo
admin(1087): 	DOCUMENT_URI: /mailman/listinfo/
admin(1087): 	HTTP_DNT: 1
admin(1087): 	HTTP_HOST: lists.example.com
admin(1087): 	HTTPS: on
admin(1087): 	FCGI_ROLE: RESPONDER
admin(1087): 	HTTP_CACHE_CONTROL: max-age=0
admin(1087): 	REQUEST_URI: /mailman/listinfo/
admin(1087): 	HTTP_ACCEPT:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
admin(1087): 	GATEWAY_INTERFACE: CGI/1.1
admin(1087): 	REMOTE_ADDR: a.b.c.d
admin(1087): 	HTTP_ACCEPT_LANGUAGE: en-US,en;q=0.5
admin(1087): 	REQUEST_SCHEME: https
admin(1087): 	CONTENT_TYPE:
admin(1087): 	HTTP_UPGRADE_INSECURE_REQUESTS: 1
admin(1087): 	HTTP_ACCEPT_ENCODING: gzip, deflate, br
admin(1087): 	USER: www-data
---- >8 ----

When downgrading to 1:2.1.18-2+deb8u2 the problem is immediately gone
and mailman works properly again.

Mailman is running on its own, as usual, and here's the mailman specific
part of the nginx configuration for the nginx process that is in front
of it, handling https etc...

---- >8 ----
server {
	listen [::]:443;
	listen 0.0.0.0:443;
	ssl_certificate /etc/ssl/example.com.crt;
	ssl_certificate_key /etc/ssl/example.com.key;
	server_name example.com;
	add_header Strict-Transport-Security "max-age=31536000;";
	add_header X-Frame-Options SAMEORIGIN;
	add_header X-Content-Type-Options nosniff;
	rewrite ^/$ /mailman/listinfo/ permanent;
	rewrite ^/mailman/?$ /mailman/listinfo/ permanent;
	location / {
		return 503;
	}
	location /mailman {
		root /usr/lib/cgi-bin;
		fastcgi_split_path_info (^/mailman/[^/]+)(/.*)$;
		fastcgi_pass  unix:///var/run/fcgiwrap.socket;
		include /etc/nginx/fastcgi_params;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		fastcgi_param PATH_INFO       $fastcgi_path_info;
	}
	location /images/mailman {
		alias /usr/share/images/mailman;
	}
	location /pipermail {
		alias /var/lib/mailman/archives/public;
		autoindex on;
	}
}
---- >8 ----

Do you have any idea how the changes in the update could cause this
breakage, or if I'm supposed to change something to end up with a
situation where mailman receives and validates the correct info?

Thanks,

-- 
Hans van Kranenburg

More information about the Pkg-mailman-hackers mailing list