I reviewed mailman-suite 0+20180916-7 as checked in to eoan. This isn't
a full security audit, but rather a quick gauge of maintainability.
- mailman-suite is a Django web application which provides the Mailman3
Postorius web interface and the HyperKitty mailinglist archiver. The package
provides a uWSGI configuration and stub, associated systemd service file, and
Django settings.
- There are no CVEs in our database.
- Build-Depends: debhelper, po-debconf
- Depends: dbconfig-sqlite3 | dbconfig-pgsql | dbconfig-mysql |
dbconfig-no-thanks, lsb-base, node-less, python3, python3-django-hyperkitty,
python3-django-postorius, python3-psycopg2 | python3-mysqldb, python3-whoosh,
ruby-sass, ucf, uwsgi, uwsgi-plugin-python3
- Recommends: libapache2-mod-proxy-uwsgi | nginx
- All dependencies satisfied from main, except for:
- node-less (bug 1820201)
- python3-django-hyperkitty (bug 1820196)
- python3-django-postorius (bug 1820210)
- python3-whoosh (bug 1820224)
- ruby-sass (no bug)
- uwsgi, uwsgi-plugin-python3 (bug 1820227)
- The upstream project doesn't see a lot of activity, although that's expected
given that it's very small. There have been commits to the upstream gitlab
project within the last month.
- All code is written in Python
- The package doesn't appear to have a direct dependency on python-django,
despite shipping python code that directly imports its modules.
- There are no compiled binaries.
- The package is lintian clean.
- As nothing is compiled in the build, there are no compiler warnings or errors.
- Some directories are installed owned by list:list or www-data:www-data.
- Ships a logrotate config for /var/log/mailman3/web/mailman-web.log which
configures a daily rotation and specifies a rotate count of 5.
- No DBus services.
- No setuid binaries.
- No FS capabilities.
- Does not call any privileged commands.
- No sudo fragments.
- No udev rules.
- Installs a cron job that runs django-admin.py at various intervals (minutely,
every 15 minutes, hourly, daily, weekly, monthly, yearly).
- Provides a systemd service that runs the mailman3-web uWSGI service -
initially as root, but it drops privileges and eventually runs as www-data.
- Doesn't spawn subprocesses.
- Doesn't open any files.
- Doesn't make use of any logging.
- Doesn't read anything from the environment.
- No privileged code.
- No networking.
- No cryptography.
- No sql.
- Doesn't use temporary files, except during package configure (the postinst
script uses the tempfile command)
- No webkit.
- The amount of actual python code is very small - basically wsgi.py and
manage.py, which are just stubs that call in to Django code with the
mailman-suite Django settings (settings.py).
- The package ships a template Django settings file, and generates a local one
with some saner defaults (such as unique values for SECRET_KEY and
MAILMAN_ARCHIVER_KEY generated from /dev/urandom) when the package is
configured.
Security team ACK for promoting mailman-suite to main, once its
dependencies have been approved. Note that I couldn't find a MIR bug for
ruby-sass.
** Changed in: mailman-suite (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1820206
Title:
[MIR] mailman-suite as dependency of mailman3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mailman-suite/+bug/1820206/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
