aboutsummaryrefslogtreecommitdiffstats
path: root/admin/www/security.ht
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--admin/www/security.ht37
-rw-r--r--admin/www/security.html197
2 files changed, 234 insertions, 0 deletions
diff --git a/admin/www/security.ht b/admin/www/security.ht
new file mode 100644
index 00000000..b139c7c2
--- /dev/null
+++ b/admin/www/security.ht
@@ -0,0 +1,37 @@
+Title: Mailman security issues
+
+<h3>Mailman security issues</h3>
+
+The GNU Mailman developers take security very seriously. All Mailman security
+concerns should be emailed to
+<a href="mailto:%6D%61%69%6C%6D%61%6E%2D%73%65%63%75%72%69%74%79%40%70%79%74%68%6F%6E%2E%6F%72%67">mailman-security at python dot org</a>.
+This is a closed list that reaches the core Mailman developers.
+
+<h3>Known issues and fixes</h3>
+
+<ul>
+
+<li><b>CAN-2005-0202</b> -- This is a very serious issue affecting the Mailman
+2.1 series up to and including version 2.1.5. Mailman 2.1.6 is not
+affected. This issue can allow for the leakage of member passwords.
+
+<p>A quick, immediate fix is to remove the /usr/local/mailman/cgi-bin/private
+executable. However, this will break any private archives your lists may be
+using. See below for a proper patch.
+
+<p>The extent of your exposure to this vulnerability depends on factors such
+as which version of Apache you are running and how you have it configured. We
+do not currently know the exact combination that enables the hole, although we
+currently believe that Apache 2.0 sites are not vulnerable and that that many
+if not most Apache 1.3 sites are vulnerable. In any event, the safest
+approach is to assume the worst and it is recommended that you apply
+<a href="CAN-2005-0202.txt">this Mailman patch</a> as soon as possible.
+
+<p>For additional piece of mind, it is
+recommended that you regenerate your list member passwords using
+<a href="reset_pw.py">the Mailman 2.1.6 reset_pw.py script</a>. Put this file
+in your Mailman installation's bin directory. After running the script, you
+might also want to manually run the cron/mailpasswds script so that your users
+will be informed of their new passwords.
+</li>
+</ul>
diff --git a/admin/www/security.html b/admin/www/security.html
new file mode 100644
index 00000000..4d7c40cb
--- /dev/null
+++ b/admin/www/security.html
@@ -0,0 +1,197 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+ "http://www.w3.org/TR/html4/loose.dtd" >
+<html>
+<!-- THIS PAGE IS AUTOMATICALLY GENERATED. DO NOT EDIT. -->
+<!-- Thu Feb 10 08:31:48 2005 -->
+<!-- USING HT2HTML 2.0 -->
+<!-- SEE http://ht2html.sf.net -->
+<!-- User-specified headers:
+Title: Mailman security issues
+
+-->
+
+<head>
+<title>Mailman security issues</title>
+<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" >
+<meta name="generator" content="HT2HTML/2.0" >
+<style type="text/css">
+body { margin: 0px; }
+</style>
+</head>
+<body bgcolor="#ffffff" text="#000000"
+ marginwidth="0" marginheight="0"
+ link="#0000bb" vlink="#551a8b"
+ alink="#ff0000">
+<!-- start of page table -->
+<table width="100%" border="0" cellspacing="0" cellpadding="0">
+<!-- start of banner row -->
+<tr>
+<!-- start of corner cells -->
+<td width="150" valign="middle" bgcolor="white" class="corner">
+
+<center>
+ <a href="./index.html">
+ <img border=0 src="./images/logo-70.jpg"></a></center> </td>
+<td width="15" bgcolor="#eecfa1">&nbsp;&nbsp;</td><!--spacer-->
+<!-- end of corner cells -->
+<!-- start of banner -->
+<td width="90%" bgcolor="#eecfa1" class="banner">
+<!-- start of site links table -->
+<table width="100%" border="0"
+ CELLSPACING=0 CELLPADDING=0
+ bgcolor="#ffffff">
+<tr>
+ <td bgcolor="#eecfa1">
+<a href="./index.html">Home</a>
+ </td>
+ <td bgcolor="#eecfa1">
+<b>Security</b>
+ </td>
+ <td bgcolor="#eecfa1">
+<a href="./docs.html">Documentation</a>
+ </td>
+ <td bgcolor="#eecfa1">
+<a href="./lists.html">Mailing lists</a>
+ </td>
+</tr><tr>
+ <td bgcolor="#eecfa1">
+&nbsp;
+ </td>
+ <td bgcolor="#eecfa1">
+<a href="./help.html">Help</a>
+ </td>
+ <td bgcolor="#eecfa1">
+<a href="./download.html">Download</a>
+ </td>
+ <td bgcolor="#eecfa1">
+<a href="./devs.html">Developers</a>
+ </td>
+</tr>
+</table><!-- end of site links table -->
+
+</td><!-- end of banner -->
+</tr><!-- end of banner row -->
+<tr><!-- start of sidebar/body row -->
+<!-- start of sidebar cells -->
+<td width="150" valign="top" bgcolor="#eecfa1" class="sidebar">
+<!-- start of sidebar table -->
+<table width="100%" border="0" cellspacing="0" cellpadding="3"
+ bgcolor="#ffffff">
+<tr><td bgcolor="#36648b"><b><font color="#ffffff">
+Overview
+</font></b></td></tr>
+<tr><td bgcolor="#eecfa1">
+<a href="index.html">Home</a>
+</td></tr>
+<tr><td bgcolor="#eecfa1">
+<a href="security.html"><b>Security</b></li>
+</td></tr>
+<tr><td bgcolor="#eecfa1">
+<a href="features.html">Features</a>
+</td></tr>
+<tr><td bgcolor="#eecfa1">
+<a href="i18n.html">Internationalization</a>
+</td></tr>
+<tr><td bgcolor="#eecfa1">
+<a href="otherstuff.html">Rants, Papers, and Logos</a>
+</td></tr>
+<tr><td bgcolor="#eecfa1">
+<a href="inthenews.html">Mailman in Use</a>
+</td></tr>
+<tr><td bgcolor="#eecfa1">
+<a href="prev.html">Previous Releases</a>
+</td></tr>
+<tr><td bgcolor="#eecfa1">
+<a href="bugs.html">Bugs and Patches</a>
+</td></tr>
+<tr><td bgcolor="#eecfa1">
+<a href="mirrors.html">Mirrors</a>
+</td></tr>
+<tr><td bgcolor="#eecfa1">&nbsp;</td></tr>
+<tr><td bgcolor="#36648b"><b><font color="#ffffff">
+Exits
+</font></b></td></tr>
+<tr><td bgcolor="#eecfa1">
+<a href="http://sf.net/projects/mailman">SF Project Page</a>
+</td></tr>
+<tr><td bgcolor="#eecfa1">
+<a href="lists.html">Discussion Lists</a>
+</td></tr>
+<tr><td bgcolor="#eecfa1">
+<a href="http://www.python.org/">Python</a>
+</td></tr>
+<tr><td bgcolor="#eecfa1">
+<a href="http://www.gnu.org/">GNU</a>
+</td></tr>
+<tr><td bgcolor="#eecfa1">
+<a href="http://barry.warsaw.us/">Barry Warsaw</a>
+</td></tr>
+<tr><td bgcolor="#eecfa1">&nbsp;</td></tr>
+<tr><td bgcolor="#36648b"><b><font color="#ffffff">
+Email Us
+</font></b></td></tr>
+<tr><td bgcolor="#eecfa1">
+<a href="mailto:mailman-users@python.org">mailman-users@python.org</a>
+</td></tr>
+<tr><td bgcolor="#eecfa1">
+&nbsp;
+</td></tr>
+<tr><td bgcolor="#eecfa1">
+<a href="http://www.python.org/"><img border=0
+ src="./images/PythonPoweredSmall.png"
+ ></a>&nbsp;<a href="http://sourceforge.net"><img
+ src="http://sourceforge.net/sflogo.php?group_id=103"
+ width="88" height="31" border="0"
+ alt="SourceForge Logo"></a>
+</td></tr>
+<tr><td bgcolor="#eecfa1">
+&nbsp;
+</td></tr>
+<tr><td bgcolor="#eecfa1">
+&copy; 1998-2005
+Free Software Foundation, Inc. Verbatim copying and distribution of this
+entire article is permitted in any medium, provided this notice is preserved.
+
+</td></tr>
+</table><!-- end of sidebar table -->
+
+</td>
+<td width="15">&nbsp;&nbsp;</td><!--spacer-->
+<!-- end of sidebar cell -->
+<!-- start of body cell -->
+<td valign="top" width="90%" class="body"><br>
+<h3>Mailman security issues</h3>
+
+The GNU Mailman developers take security very seriously. All Mailman security
+concerns should be emailed to
+<mailto:mailman-security@python.org>mailman-security@python.org</a>. This is
+a closed list that reaches the core Mailman developers.
+
+<h3>Known issues and fixes</h3>
+
+<ul>
+<li><b>CAN-2005-0202</b> -- This is a very serious issue affecting
+the Mailman 2.1 serious up to and including version 2.1.5. Mailman 2.1.6 is
+not vulnerable. This issue can allow for the leakage of member passwords.
+
+<p>The extent of your exposure to this vulnerability depends on factors such
+as which version of Apache you are running and how you have it configured. We
+do not currently know the exact combination that enables the hole, although we
+currently believe that Apache 2.0 sites are not vulnerable and that that many
+if not most Apache 1.3 sites are vulnerable. In any event, the safest
+approach is to assume the worst and it is recommended that you apply
+<a href="CAN-2005-0202.txt">this Mailman patch</a> as soon as possible.
+
+<p>For additional piece of mind, it is
+recommended that you regenerate your list member passwords using
+<a href="reset_pw.py">the Mailman 2.1.6 reset_pw.py script</a>. Put this file
+in your Mailman installation's bin directory. After running the script, you
+might also want to manually run the cron/mailpasswds script so that your users
+will be informed of their new passwords.
+</li>
+</ul>
+
+</td><!-- end of body cell -->
+</tr><!-- end of sidebar/body row -->
+</table><!-- end of page table -->
+</body></html>