Most relevant bit found among Debian bugs:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=669813#36
The new apache security model requires adding this to the
Directory stanza for mailman:
Require all granted
But that's not particularly detailed, most notably omits
mention of
/etc/mailman/apache.conf
and the
<Directory /var/lib/mailman/archives/public/>
section within.
Recommended to (mostly) fix mailman 1:2.1.18-2+deb8u1 amd64:
$ diff -U 5 etc/mailman/apache.conf.bug_669813 etc/mailman/apache.conf
--- etc/mailman/apache.conf.bug_669813 2016-09-14 23:05:02.000000000 -0700
+++ etc/mailman/apache.conf 2017-07-11 07:01:29.116879436 -0700
@@ -26,10 +26,11 @@
<Directory /var/lib/mailman/archives/public/>
Options FollowSymlinks
AllowOverride None
Order allow,deny
Allow from all
+ Require all granted
</Directory>
<Directory /usr/share/images/mailman/>
AllowOverride None
Order allow,deny
Allow from all
$
At least that's the case for Jessie (presently oldstable)
(
Debian GNU/Linux 8.8 (jessie) x86_64
mailman 1:2.1.18-2+deb8u1 amd64
apache2 2.4.10-10+deb8u9 amd64
)
I haven't (at least yet) checked to see if there's patch applied
yet for newer than mailman 1:2.1.18-2+deb8u1 amd64 that may cover
that fix.
In the meantime, for work-around for at least those versions,
in Apache configuration, in addition to (which I added):
Include ../mailman/apache.conf
(or
Include /etc/mailman/apache.conf
or equivalent
)
also add (and if the above is used via Include, use this *after* the above):
<Directory /var/lib/mailman/archives/public/>
Options FollowSymlinks
AllowOverride None
Order allow,deny
Allow from all
Require all granted
</Directory>
From: "Michael Paoli" <michael.pa...@cal.berkeley.edu>
Subject: Archives now working: BALUG-Test list
Date: Tue, 11 Jul 2017 00:36:28 -0700
Archives are now working.
Relevant bit ... I ought (when I get around to it) check if there's
bug filed (it may already be fixed even - but not yet to stable).
The missing bit ... I'd (rather than redundantly copied/maintain) used:
(relative to /etc/apache2):
Include ../mailman/apache.conf
in file sites-available/Include/temp.balug.org
that was almost all well fine and good (I'd reviewed
./mailman/apache.conf earlier). But it left out one key needed bit,
it has:
<Directory /var/lib/mailman/archives/public/>
Options FollowSymlinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
but needs:
<Directory /var/lib/mailman/archives/public/>
Options FollowSymlinks
AllowOverride None
Order allow,deny
Allow from all
Require all granted
</Directory>
My relatively simple fix,
add to file
sites-available/Include/temp.balug.org
<Directory /var/lib/mailman/archives/public/>
Options FollowSymlinks
AllowOverride None
Order allow,deny
Allow from all
Require all granted
</Directory>
after:
Include ../mailman/apache.conf
... Apache doesn't seem to care about the same
<Directory /var/lib/mailman/archives/public/>
appearing twice, and seems in that case to just use the latter fine,
So ... /etc/mailman/apache.conf
should have included but failed to include, in it's section:
<Directory /var/lib/mailman/archives/public/>
the line:
Require all granted
So ... I think I'd call that a "bug" - even if it's documentation
errata. Might be a Debian specific patch needed, as other
distributions and/or Apache may have different defaults on
that security.
https://temp.balug.org/pipermail/balug-test/2017-July/000004.html
temp.balug.org will in future be moved to lists.balug.org, so that
will become:
https://lists.balug.org/pipermail/balug-test/2017-July/000004.html
