RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 745409 - default httpd config for Mailman offers directory listings for lists with disabled but public archives
Summary: default httpd config for Mailman offers directory listings for lists with dis...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: mailman
Version: 6.3
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Jan Kaluža
QA Contact: Alois Mahdal
URL:
Whiteboard:
Depends On: 745012
Blocks: 745411
TreeView+ depends on / blocked
 
Reported: 2011-10-12 09:50 UTC by Jan Kaluža
Modified: 2019-05-02 10:58 UTC (History)
4 users (show)

Fixed In Version: mailman-2.1.12-20.el6
Doc Type: Bug Fix
Doc Text:
When Mailman was set to not archive a list but the archive was not set to private, attachments sent to that list were placed in a public archive. Consequently, users of Mailman web interface could list private attachments because httpd configuration of public archive directory allows listing all files in the archive directory. The httpd configuration of Mailman has been fixed to not allow listing of private archive directory, and users of Mailman web interface are no longer able to list private attachments.
Clone Of: 745012
: 745411 (view as bug list)
Environment:
Last Closed: 2015-07-22 07:41:38 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1417 0 normal SHIPPED_LIVE Moderate: mailman security and bug fix update 2015-07-20 18:06:40 UTC

Description Jan Kaluža 2011-10-12 09:50:19 UTC 
+++ This bug was initially created as a clone of Bug #745012 +++

Description of problem:

If you ask Mailman to not archive a list but fail to ask it to keep the (disabled) archives private the attachments sent to that list will be placed in a public archive.

This problem is made worse by the default httpd config included in the rpm which turns on directory listings for the public archives:

    ...
    <Directory /var/lib/mailman/archives/public>
        Options Indexes MultiViews FollowSymLinks
    ...


Mailman maintains an index of all messages that belong in the archive including links to their attachments so it would make a lot more sense to disable Options Indexes for /var/lib/mailman/archives/public.


Version-Release number of selected component (if applicable):

mailman-2.1.9-6.el5_6.1



How reproducible:

Always.


Steps to Reproduce:

* Create a test list with settings:
archive = 0
archive_private = 0

* Send a message to the list with an attachment.

* Go to: http://SITE.ADDRESS/pipermail/TEST-LIST/attachments/ [^]

* Follow the directory listings to your attachment.

 
Actual results:

Attachment for unarchived list can be found by guessing a constant directory component and then following the directory indexes.


Expected results:

Nothing is archived for unarchived list.


Additional info:

% yum info mailman
Loaded plugins: fastestmirror
base 3566/3566
rpmforge 10775/10775
unit 38/38
unit-extras 3/3
Excluding Packages from RHEL 5 - RPMforge.net - dag
Finished
Installed Packages
Name : mailman
Arch : x86_64
Epoch : 3
Version : 2.1.9
Release : 6.el5_6.1
Size : 34 M
Repo : installed
Summary : Mailing list manager with built in Web access.
URL : http://www.list.org/ [^]
License : GPL
Description: Mailman is software to help manage email discussion lists, much
           : like Majordomo and Smartmail. Unlike most similar products, Mailman
           : gives each mailing list a webpage, and allows users to subscribe,
           : unsubscribe, etc. over the Web. Even the list manager can
           : administer his or her list entirely from the Web. Mailman also
           : integrates most things people want to do with mailing lists,
           : including archiving, mail <-> news gateways, and so on.
           :
           : Documentation can be found in: /usr/share/doc/mailman-2.1.9
           :
           : When the package has finished installing, you will need to perform
           : some additional installation steps, these are described in:
           : /usr/share/doc/mailman-2.1.9/INSTALL.REDHAT


I've already submitted this as Centos bug 0005123 but they referred to upstream.
http://bugs.centos.org/view.php?id=5123

--- Additional comment from jkaluza on 2011-10-11 05:13:30 EDT ---

So is it only about disabling indexes in httpd conf, or mailman stores private attachments in public directory for you?

--- Additional comment from ulrik.haugen on 2011-10-11 07:01:08 EDT ---

I've intended for this bug to be about disabling indexes in httpd.conf as it exposes this problem and is not suggested in the Mailman installation documentation.

The root cause of the problem is of course that Mailman stores these attachments in the archive when archiving is disabled so no list admin will think about marking the archive private, but it seems a bigger issue and just disabling the indexes will be a big help.

There is already a bug in the vicinity of the root cause in Mailmans bug tracker:
https://bugs.launchpad.net/mailman/+bug/266317
Comment 18 Alois Mahdal 2015-05-12 18:00:02 UTC 
Note that the test case We'll be using slightly differs from the OP:

 1. Create test list,

 2. send mail with *binary* attachment to the list

 3. set `archive = 0` and `archive_private = 0` for the list,

 4. and check http://site.example.com/pipermail/listname/attachments/,

while OP sends the mail *after* changing the settings, which in our settings resulted in empty archive in both cases (before and after fix).


Verified on x86_64, and scheduled tests for the rest of architectures.
Comment 19 Alois Mahdal 2015-05-12 20:07:11 UTC 
Verified on all architectures now.

(TJ#954912, TJ#954913)
Comment 21 errata-xmlrpc 2015-07-22 07:41:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1417.html
Note You need to log in before you can comment on or make changes to this bug.