diff options
| author | bwarsaw <> | 2006-08-30 14:55:23 +0000 |
|---|---|---|
| committer | bwarsaw <> | 2006-08-30 14:55:23 +0000 |
| commit | 01badf5c6b00ed72ce799064c9a567ab8f34e369 (patch) | |
| tree | b009b9b47c82717bcc5488648596348b32b6108a /admin/www/security.ht | |
| parent | 0cee915eeb5f8f99ed036d257b1103c28373eb5b (diff) | |
| download | mailman2-01badf5c6b00ed72ce799064c9a567ab8f34e369.tar.gz mailman2-01badf5c6b00ed72ce799064c9a567ab8f34e369.tar.xz mailman2-01badf5c6b00ed72ce799064c9a567ab8f34e369.zip | |
Make a sweep through the web pages to update various bits of information.
This is in prep for the 2.1.9 release.
Diffstat (limited to 'admin/www/security.ht')
| -rw-r--r-- | admin/www/security.ht | 38 |
1 files changed, 3 insertions, 35 deletions
diff --git a/admin/www/security.ht b/admin/www/security.ht index afe39420..6ac9473f 100644 --- a/admin/www/security.ht +++ b/admin/www/security.ht @@ -7,38 +7,6 @@ concerns should be emailed to <a href="mailto:%6D%61%69%6C%6D%61%6E%2D%73%65%63%75%72%69%74%79%40%70%79%74%68%6F%6E%2E%6F%72%67">mailman-security at python dot org</a>. This is a closed list that reaches the core Mailman developers. -<h3>Known issues and fixes</h3> - -<ul> - -<li><b>CAN-2005-0202</b> -- This is a very serious issue affecting the Mailman -2.1 series up to and including version 2.1.5. <b>Mailman 2.1.6 is not -affected</b>. This issue can allow for the leakage of member passwords. - -<p>A quick, immediate fix is to remove the /usr/local/mailman/cgi-bin/private -executable. However, this will break any private archives your lists may be -using. See below for a proper patch. - -<p>The extent of your exposure to this vulnerability depends on factors such -as which version of Apache you are running and how you have it configured. We -do not currently know the exact combination that enables the hole, although we -currently believe that Apache 2.0 sites are not vulnerable and that that many -if not most Apache 1.3 sites are vulnerable. In any event, the safest -approach is to assume the worst and it is recommended that you apply -<a href="CAN-2005-0202.txt">this Mailman patch</a> as soon as possible. - -<p>For additional peace of mind, it is -recommended that you regenerate your list member passwords using -<a href="reset_pw.py">the Mailman 2.1.6 reset_pw.py script</a>. Put this file -in your Mailman installation's bin directory. After running the script, you -might also want to manually run the cron/mailpasswds script so that your users -will be informed of their new passwords. - -<p>Credit goes to Marcus Meissner for finding this issue. -</li> - -<li><b>Mailman 2.1.6</b> -- allows for more cryptographically secure (but less -user-friendly) list admin and auto-generated user passwords. Also, a -potential cross-site scripting hole has been closed. - -</ul> +<p>To ensure the highest security of your Mailman site, it is always best to +run the latest release. If you are not running the latest release, please +upgrade before reporting security issues. |