FYI: Django security releases issued: 4.0.6 and 3.2.14
https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
Django security releases issued: 4.0.6 and 3.2.14
Posted by *Mariusz Felisiak* on Julio 4, 2022
In accordance with our security release policy <https://docs.djangoproject.com/en/dev/internals/security/>, the Django team is issuing Django 4.0.6 <https://docs.djangoproject.com/en/dev/releases/4.0.6/> and Django 3.2.14 <https://docs.djangoproject.com/en/dev/releases/3.2.14/>. These release addresses the security issue detailed below. We encourage all users of Django to upgrade as soon as possible.
CVE-2022-34265: Potential SQL injection via Trunc(kind) and
Extract(lookup_name) arguments
Trunc() and Extract() database functions were subject to SQL injection if untrusted data was used as a kind/lookup_name value.
Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
This security release mitigates the issue, but we have identified improvements to the Database API methods related to date extract and truncate that would be beneficial to add to Django 4.1 before it's final release. This will impact 3rd party database backends using Django 4.1 release candidate 1 or newer, until they are able to update to the API changes. We apologize for the inconvenience.
Thanks Takuto Yoshikai (Aeye Security Lab) for the report.
This issue has severity "high" according to the Django security policy.
--
Mailman's content filtering has removed the following MIME parts from this message.
Content-Type: image/png Name: firma-GHP-emails.png
Replaced multipart/alternative part with first alternative.
Thanks to Guillermo for the heads-up.
As far as I can tell, neither of these functions is used in the Mailman suite itself. That doesn't mean they aren't used in one of our dependencies, but it does mean that we can't do much about what's installed on your host. You should upgrade if you are using Django 3 or 4. (Not sure we support Django 4.) We will keep a watch on this.
Again, thank you, Guillermo!
Guillermo Hernandez (Oldno7) via Mailman-users writes:
https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
Django security releases issued: 4.0.6 and 3.2.14
Posted by *Mariusz Felisiak* on Julio 4, 2022
CVE-2022-34265: Potential SQL injection via Trunc(kind) and Extract(lookup_name) arguments
Trunc() and Extract() database functions were subject to SQL injection if untrusted data was used as a kind/lookup_name value.
On 7/7/22 12:56 AM, Stephen J. Turnbull wrote:
Thanks to Guillermo for the heads-up.
As far as I can tell, neither of these functions is used in the Mailman suite itself. That doesn't mean they aren't used in one of our dependencies, but it does mean that we can't do much about what's installed on your host. You should upgrade if you are using Django 3 or 4. (Not sure we support Django 4.) We will keep a watch on this.
I just upgraded from Django 3.2.11 to 3.2.14 on mail.python.org and lists.mailman3.org.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 7/7/22 10:25 AM, Mark Sapiro wrote:
I just upgraded from Django 3.2.11 to 3.2.14 on mail.python.org and lists.mailman3.org.
How to upgrade mailman-web to align with Django?
I upgraded from Django 3.0.14 to 3.1.14 and then 3.2.14 using these docs:
https://docs.djangoproject.com/en/4.0/howto/upgrade-version/
But then this upgrade command returned a complaint that mailman-web 0.0.5 requires Django<3.1:
pip install -U mailman postorius django-mailman3 hyperkitty mailman-web uwsgi
and it downgraded Django back to 3.0.14.
I did not see anything about this in the Django for Mailman Admins doc, but I may have missed something.
https://docs.mailman3.org/en/latest/django-primer.html
Thanks.
dn
On 7/7/22 11:10 AM, David Newman wrote:
On 7/7/22 10:25 AM, Mark Sapiro wrote:
pip install -U mailman postorius django-mailman3 hyperkitty mailman-web uwsgi
and it downgraded Django back to 3.0.14.
Because mailman-web 0.0.5 has in its setup.cfg
install_requires =
Django<3.1
try
pip install -U git+https://gitlab.com/mailman/mailman-web.git
to get the latest mailman-web whose Django requirement is
install_requires =
django >=2.2, !=3.0, <4
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 7/7/22 12:26 PM, Mark Sapiro wrote:
On 7/7/22 11:10 AM, David Newman wrote:
On 7/7/22 10:25 AM, Mark Sapiro wrote:
pip install -U mailman postorius django-mailman3 hyperkitty mailman-web uwsgi
and it downgraded Django back to 3.0.14.
Because mailman-web 0.0.5 has in its setup.cfg
install_requires = Django<3.1
try
pip install -U git+https://gitlab.com/mailman/mailman-web.git
to get the latest mailman-web whose Django requirement is
install_requires = django >=2.2, !=3.0, <4
That seemed to work OK, thanks. mailman-web is now on a dev version of 0.0.6 and Django is now on 3.2.14.
However, pip now throws a warning when looking at package info:
(venv) mailman@somehost:/home/dnewman$ pip show mailman-web WARNING: Ignoring invalid distribution -jango (/opt/mailman/venv/lib/python3.9/site-packages) Name: mailman-web Version: 0.0.6.dev9+gc606169 Summary: Mailman 3 Web interface. Home-page: https://gitlab.com/mailman/mailman-web Author: Mailman Developers Author-email: mailman-developers@python.org License: GPLv3 Location: /opt/mailman/venv/lib/python3.9/site-packages Requires: django, hyperkitty, postorius, whoosh Required-by:
How to correct that so the command runs clean with no warnings or errors? This is on a host running Debian 11 with mailman3 and friends installed in a venv.
Thanks.
dn
On 7/7/22 12:44 PM, David Newman wrote:
However, pip now throws a warning when looking at package info:
(venv) mailman@somehost:/home/dnewman$ pip show mailman-web WARNING: Ignoring invalid distribution -jango (/opt/mailman/venv/lib/python3.9/site-packages) ...
What does
ls -la /opt/mailman/venv/lib/python3.9/site-packages/-jango*
show? I suspect you have some spurious stuff there. The timestamps might give a clue as to how it got there.
If it shows anything,
rm -rf /opt/mailman/venv/lib/python3.9/site-packages/-jango*
will probably fix it.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 7/7/22 1:20 PM, Mark Sapiro wrote:
On 7/7/22 12:44 PM, David Newman wrote:
However, pip now throws a warning when looking at package info:
(venv) mailman@somehost:/home/dnewman$ pip show mailman-web WARNING: Ignoring invalid distribution -jango (/opt/mailman/venv/lib/python3.9/site-packages) ...
What does
ls -la /opt/mailman/venv/lib/python3.9/site-packages/-jango*
show? I suspect you have some spurious stuff there. The timestamps might give a clue as to how it got there.
If it shows anything,
rm -rf /opt/mailman/venv/lib/python3.9/site-packages/-jango*
will probably fix it.
That was my first thought too. But there's nothing in that directory beginning with a hyphen, not even with the -a switch.
The Django directories are as follows:
django Django-3.2.14.dist-info django_allauth-0.47.0.dist-info django_appconf-1.0.5.dist-info django_compressor-3.0.dist-info django_extensions django_extensions-3.1.5.dist-info django_gravatar django_gravatar2-1.4.4.dist-info django_haystack-3.1.1.dist-info django_mailman3 django_mailman3-1.3.7.dist-info django_picklefield-3.0.1.dist-info django_q django_q-1.3.9.dist-info djangorestframework-3.13.1.dist-info
dn
On 7/7/22 1:36 PM, David Newman wrote:
That was my first thought too. But there's nothing in that directory beginning with a hyphen, not even with the -a switch.
What about
ls -la /opt/mailman/venv/lib/python3.9/site-packages/*-jango*
and if that shows nothing,
grep -r '-jango' /opt/mailman/venv/lib/python3.9/site-packages/
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 7/7/22 3:02 PM, Mark Sapiro wrote:
On 7/7/22 1:36 PM, David Newman wrote:
That was my first thought too. But there's nothing in that directory beginning with a hyphen, not even with the -a switch.
What about
ls -la /opt/mailman/venv/lib/python3.9/site-packages/*-jango*
and if that shows nothing,
grep -r '-jango' /opt/mailman/venv/lib/python3.9/site-packages/
Nothing from the first command.
The second command thinks '-j' is grep switch, and throws an invalid-option error:
root@somehost:/opt/mailman/venv/lib/python3.9/site-packages# grep -r '-jango' /opt/mailman/venv/lib/python3.9/site-packages/
grep: invalid option -- 'j' Usage: grep [OPTION]... PATTERNS [FILE]...
I *think* the command runs if I escape the hyphen:
root@somehost:/opt/mailman/venv/lib/python3.9/site-packages# grep -r '\-jango' /opt/mailman/venv/lib/python3.9/site-packages/
But then that doesn't return anything.
dn
On 7/7/22 3:09 PM, David Newman wrote:
I *think* the command runs if I escape the hyphen:
root@somehost:/opt/mailman/venv/lib/python3.9/site-packages# grep -r '\-jango' /opt/mailman/venv/lib/python3.9/site-packages/
But then that doesn't return anything.
Yes, escaping the hyphen is the correct thing to do. You could also try something like
grep -r '.-jango' /opt/mailman/venv/lib/python3.9/site-packages/
but that will also return nothing.
See https://stackoverflow.com/questions/67613777/pip-ignoring-invalid-distributi... https://stackoverflow.com/questions/68880743/why-do-i-get-this-when-using-pi... and perhaps other hits from https://www.google.com/search?q=pip+warning+ignoring+invalid+distribution
Look for
ls -la /opt/mailman/venv/lib/python3.9/site-packages/~jango*
i.e. ~jango
rather than -jango
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mark Sapiro writes:
On 7/7/22 3:09 PM, David Newman wrote:
I *think* the command runs if I escape the hyphen:
Yes, escaping the hyphen is the correct thing to do. You could also try something like
grep -r '.-jango' /opt/mailman/venv/lib/python3.9/site-packages/
grep -r -e -jango ...
should also work (and return nothing in this case). -e can be used multiple times, effectively or-ing the regexps. (Especially useful with -F if you have a lot of regexp operators in fixed strings!)
On 7/7/22 3:35 PM, Mark Sapiro wrote:
On 7/7/22 3:09 PM, David Newman wrote:
I *think* the command runs if I escape the hyphen:
root@somehost:/opt/mailman/venv/lib/python3.9/site-packages# grep -r '\-jango' /opt/mailman/venv/lib/python3.9/site-packages/
But then that doesn't return anything.
Yes, escaping the hyphen is the correct thing to do. You could also try something like
grep -r '.-jango' /opt/mailman/venv/lib/python3.9/site-packages/
but that will also return nothing.
See https://stackoverflow.com/questions/67613777/pip-ignoring-invalid-distributi... https://stackoverflow.com/questions/68880743/why-do-i-get-this-when-using-pi... and perhaps other hits from https://www.google.com/search?q=pip+warning+ignoring+invalid+distribution
Look for
ls -la /opt/mailman/venv/lib/python3.9/site-packages/~jango*
i.e.
~jango
rather than-jango
Interesting -- that does produce two directories with names starting with a tilde:
/opt/mailman/venv/lib/python3.9/site-packages/~jango: total 100 drwxr-xr-x 19 root root 4096 Jul 7 10:56 . drwxr-xr-x 188 mailman mailman 12288 Jul 7 12:38 .. drwxr-xr-x 3 root root 4096 Jul 7 10:56 apps drwxr-xr-x 3 root root 4096 Jul 7 10:56 bin drwxr-xr-x 7 root root 4096 Jul 7 10:56 conf drwxr-xr-x 18 root root 4096 Jul 7 10:56 contrib drwxr-xr-x 11 root root 4096 Jul 7 10:56 core drwxr-xr-x 6 root root 4096 Jul 7 10:56 db drwxr-xr-x 3 root root 4096 Jul 7 10:56 dispatch drwxr-xr-x 5 root root 4096 Jul 7 10:56 forms drwxr-xr-x 3 root root 4096 Jul 7 10:56 http -rw-r--r-- 1 root root 800 Jul 7 10:56 __init__.py -rw-r--r-- 1 root root 211 Jul 7 10:56 __main__.py drwxr-xr-x 3 root root 4096 Jul 7 10:56 middleware drwxr-xr-x 2 root root 4096 Jul 7 10:56 __pycache__ -rw-r--r-- 1 root root 4896 Jul 7 10:56 shortcuts.py drwxr-xr-x 5 root root 4096 Jul 7 10:56 template drwxr-xr-x 3 root root 4096 Jul 7 10:56 templatetags drwxr-xr-x 3 root root 4096 Jul 7 10:56 test drwxr-xr-x 3 root root 4096 Jul 7 10:56 urls drwxr-xr-x 4 root root 4096 Jul 7 10:56 utils drwxr-xr-x 6 root root 4096 Jul 7 10:56 views
/opt/mailman/venv/lib/python3.9/site-packages/~jango-3.0.14.dist-info: total 500 drwxr-xr-x 2 root root 4096 Jul 7 10:56 . drwxr-xr-x 188 mailman mailman 12288 Jul 7 12:38 .. -rw-r--r-- 1 root root 36843 Jul 7 10:56 AUTHORS -rw-r--r-- 1 root root 83 Jul 7 10:56 entry_points.txt -rw-r--r-- 1 root root 4 Jul 7 10:56 INSTALLER -rw-r--r-- 1 root root 1552 Jul 7 10:56 LICENSE -rw-r--r-- 1 root root 13231 Jul 7 10:56 LICENSE.python -rw-r--r-- 1 root root 3625 Jul 7 10:56 METADATA -rw-r--r-- 1 root root 415583 Jul 7 10:56 RECORD -rw-r--r-- 1 root root 7 Jul 7 10:56 top_level.txt -rw-r--r-- 1 root root 92 Jul 7 10:56 WHEEL
Going back to the original warning:
(venv) mailman@somehost:/home/dnewman$ pip show mailman-web WARNING: Ignoring invalid distribution -jango (/opt/mailman/venv/lib/python3.9/site-packages) Name: mailman-web ..
The warning goes away after moving those two tilde directories out of the way. Is it safe to delete them?
Thanks again.
dn
David Newman writes:
Interesting -- that does produce two directories with names starting with a tilde:
/opt/mailman/venv/lib/python3.9/site-packages/~jango: /opt/mailman/venv/lib/python3.9/site-packages/~jango-3.0.14.dist-info:
I would guess that those are the previous versions before the upgrade, moved out of the way in case a revert-to-previous was needed. Again, guessing, they should have been removed by the upgrade process once the new package was fully installed. Was there an interrupted or partially successful upgrade in the past?
So I would guess you can remove them. Probably you have the relevant Ubuntu packages cached somewhere, and they're probably available from Ubuntu if you really wanted them. If you're really paranoid, you could tar them up and stick them somewhere out of the way, but I think just delete them. I doubt anything can refer to them by that name, except for a process that was running before the update.
It's also possibly that apt (or whatever package manager) has a "fix broken" command that might clean them up for you. "apt-get update --fix-broken" and "apt autoremove" are possibilities with apt.
Steve
On 7/8/22 6:34 AM, Stephen J. Turnbull wrote:
David Newman writes:
Interesting -- that does produce two directories with names starting with a tilde:
/opt/mailman/venv/lib/python3.9/site-packages/~jango: /opt/mailman/venv/lib/python3.9/site-packages/~jango-3.0.14.dist-info:
I would guess that those are the previous versions before the upgrade, moved out of the way in case a revert-to-previous was needed. Again, guessing, they should have been removed by the upgrade process once the new package was fully installed. Was there an interrupted or partially successful upgrade in the past?
When pip is doing an upgrade of the xyz package, it renames the existing package as ~yz and then ultimately deletes the old ~yz package after successfully installing the new xyz. In this case, the upgrade was aborted because of the Django<3.1 constraint in mailman-web and apparently pip then installed Django<3.1 and left the ~jango* directories behind.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 7/8/22 6:34 AM, Stephen J. Turnbull wrote:
David Newman writes:
Interesting -- that does produce two directories with names starting with a tilde:
/opt/mailman/venv/lib/python3.9/site-packages/~jango: /opt/mailman/venv/lib/python3.9/site-packages/~jango-3.0.14.dist-info:
I would guess that those are the previous versions before the upgrade, moved out of the way in case a revert-to-previous was needed. Again, guessing, they should have been removed by the upgrade process once the new package was fully installed. Was there an interrupted or partially successful upgrade in the past?
Yes
So I would guess you can remove them. Probably you have the relevant Ubuntu packages cached somewhere, and they're probably available from Ubuntu if you really wanted them.
This system runs Debian 11, with everything installed in a venv. I'm unclear on the relationship between the usual apt* tools and pip, and just do everything Mailman-related using pip.
On 7/8/22 7:47 AM, Mark Sapiro wrote:
When pip is doing an upgrade of the xyz package, it renames the existing package as ~yz and then ultimately deletes the old ~yz package after successfully installing the new xyz. In this case, the upgrade was aborted because of the Django<3.1 constraint in mailman-web and apparently pip then installed Django<3.1 and left the ~jango* directories behind.
Ahhh, that explains it.
Thanks for your replies. I've deleted the ~ directories and so far have not noticed any adverse effects.
dn
On 7/8/22 8:28 AM, David Newman wrote:
This system runs Debian 11, with everything installed in a venv. I'm unclear on the relationship between the usual apt* tools and pip, and just do everything Mailman-related using pip.
apt will not install into a virtualenv, even if the virtualenv is active when running apt-get. It only installs system wide. Further, apt doesn't know about packages installed by pip (either system wide or in a virtualenv) and vice versa. See https://askubuntu.com/questions/581648/install-package-into-virtualenv-using... for more.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
I just upgraded Django from version 3.0.11 to 3.2.15 receiving this confirmation
Successfully installed Django-3.2.15 asgiref-3.5.2
I also upgraded flufl.lock from version 7.0 to 7.1
Successfully installed flufl.lock-7.1
Then I restarted mailman, qcluster & gunicorn
Now for some reason I'm not receiving my own postings to the list whereas before I was. 'Receive own postings' is still set to yes.
Thank you!
-----Original Message----- From: David Newman <dnewman@networktest.com> Sent: Friday, July 8, 2022 11:29 AM To: mailman-users@mailman3.org Subject: [MM3-users] Re: FYI: Django security releases issued: 4.0.6 and 3.2.14
On 7/8/22 6:34 AM, Stephen J. Turnbull wrote:
David Newman writes:
Interesting -- that does produce two directories with names starting with a tilde:
/opt/mailman/venv/lib/python3.9/site-packages/~jango: /opt/mailman/venv/lib/python3.9/site-packages/~jango-3.0.14.dist-info:
I would guess that those are the previous versions before the upgrade, moved out of the way in case a revert-to-previous was needed. Again, guessing, they should have been removed by the upgrade process once the new package was fully installed. Was there an interrupted or partially successful upgrade in the past?
Yes
So I would guess you can remove them. Probably you have the relevant Ubuntu packages cached somewhere, and they're probably available from Ubuntu if you really wanted them.
This system runs Debian 11, with everything installed in a venv. I'm unclear on the relationship between the usual apt* tools and pip, and just do everything Mailman-related using pip.
On 7/8/22 7:47 AM, Mark Sapiro wrote:
When pip is doing an upgrade of the xyz package, it renames the existing package as ~yz and then ultimately deletes the old ~yz package after > successfully installing the new xyz. In this case, the upgrade was > aborted because of the Django<3.1 constraint in mailman-web and > apparently pip then installed Django<3.1 and left the ~jango* > directories behind.
Ahhh, that explains it.
Thanks for your replies. I've deleted the ~ directories and so far have not noticed any adverse effects.
dn
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/
Christian via Mailman-users writes:
Now for some reason I'm not receiving my own postings to the list whereas before I was. 'Receive own postings' is still set to yes.
Is anybody receiving posts?
Are you looking at your settings as a list subscriber, or for the address, or for your User? The first one in that list will decide what setting is applied. Most likely all of your settings are set in the User (called "global" in Postorius), but you should check to make sure.
How about "receive list copies"? If you're Cc'd on the post as well as being a member of the list, setting that to "no" would prevent you from receiving the message via the list. The three levels of setting applies here too.
Otherwise, we need to see logs, please. Also check your spam folder and local filters.
Steve
participants (5)
-
Christian
-
David Newman
-
Guillermo Hernandez (Oldno7)
-
Mark Sapiro
-
Stephen J. Turnbull