diff options
Diffstat (limited to '')
-rw-r--r-- | admin/www/security.ht | 37 | ||||
-rw-r--r-- | admin/www/security.html | 197 |
2 files changed, 234 insertions, 0 deletions
diff --git a/admin/www/security.ht b/admin/www/security.ht new file mode 100644 index 00000000..b139c7c2 --- /dev/null +++ b/admin/www/security.ht @@ -0,0 +1,37 @@ +Title: Mailman security issues + +<h3>Mailman security issues</h3> + +The GNU Mailman developers take security very seriously. All Mailman security +concerns should be emailed to +<a href="mailto:%6D%61%69%6C%6D%61%6E%2D%73%65%63%75%72%69%74%79%40%70%79%74%68%6F%6E%2E%6F%72%67">mailman-security at python dot org</a>. +This is a closed list that reaches the core Mailman developers. + +<h3>Known issues and fixes</h3> + +<ul> + +<li><b>CAN-2005-0202</b> -- This is a very serious issue affecting the Mailman +2.1 series up to and including version 2.1.5. Mailman 2.1.6 is not +affected. This issue can allow for the leakage of member passwords. + +<p>A quick, immediate fix is to remove the /usr/local/mailman/cgi-bin/private +executable. However, this will break any private archives your lists may be +using. See below for a proper patch. + +<p>The extent of your exposure to this vulnerability depends on factors such +as which version of Apache you are running and how you have it configured. We +do not currently know the exact combination that enables the hole, although we +currently believe that Apache 2.0 sites are not vulnerable and that that many +if not most Apache 1.3 sites are vulnerable. In any event, the safest +approach is to assume the worst and it is recommended that you apply +<a href="CAN-2005-0202.txt">this Mailman patch</a> as soon as possible. + +<p>For additional piece of mind, it is +recommended that you regenerate your list member passwords using +<a href="reset_pw.py">the Mailman 2.1.6 reset_pw.py script</a>. Put this file +in your Mailman installation's bin directory. After running the script, you +might also want to manually run the cron/mailpasswds script so that your users +will be informed of their new passwords. +</li> +</ul> diff --git a/admin/www/security.html b/admin/www/security.html new file mode 100644 index 00000000..4d7c40cb --- /dev/null +++ b/admin/www/security.html @@ -0,0 +1,197 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" + "http://www.w3.org/TR/html4/loose.dtd" > +<html> +<!-- THIS PAGE IS AUTOMATICALLY GENERATED. DO NOT EDIT. --> +<!-- Thu Feb 10 08:31:48 2005 --> +<!-- USING HT2HTML 2.0 --> +<!-- SEE http://ht2html.sf.net --> +<!-- User-specified headers: +Title: Mailman security issues + +--> + +<head> +<title>Mailman security issues</title> +<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" > +<meta name="generator" content="HT2HTML/2.0" > +<style type="text/css"> +body { margin: 0px; } +</style> +</head> +<body bgcolor="#ffffff" text="#000000" + marginwidth="0" marginheight="0" + link="#0000bb" vlink="#551a8b" + alink="#ff0000"> +<!-- start of page table --> +<table width="100%" border="0" cellspacing="0" cellpadding="0"> +<!-- start of banner row --> +<tr> +<!-- start of corner cells --> +<td width="150" valign="middle" bgcolor="white" class="corner"> + +<center> + <a href="./index.html"> + <img border=0 src="./images/logo-70.jpg"></a></center> </td> +<td width="15" bgcolor="#eecfa1"> </td><!--spacer--> +<!-- end of corner cells --> +<!-- start of banner --> +<td width="90%" bgcolor="#eecfa1" class="banner"> +<!-- start of site links table --> +<table width="100%" border="0" + CELLSPACING=0 CELLPADDING=0 + bgcolor="#ffffff"> +<tr> + <td bgcolor="#eecfa1"> +<a href="./index.html">Home</a> + </td> + <td bgcolor="#eecfa1"> +<b>Security</b> + </td> + <td bgcolor="#eecfa1"> +<a href="./docs.html">Documentation</a> + </td> + <td bgcolor="#eecfa1"> +<a href="./lists.html">Mailing lists</a> + </td> +</tr><tr> + <td bgcolor="#eecfa1"> + + </td> + <td bgcolor="#eecfa1"> +<a href="./help.html">Help</a> + </td> + <td bgcolor="#eecfa1"> +<a href="./download.html">Download</a> + </td> + <td bgcolor="#eecfa1"> +<a href="./devs.html">Developers</a> + </td> +</tr> +</table><!-- end of site links table --> + +</td><!-- end of banner --> +</tr><!-- end of banner row --> +<tr><!-- start of sidebar/body row --> +<!-- start of sidebar cells --> +<td width="150" valign="top" bgcolor="#eecfa1" class="sidebar"> +<!-- start of sidebar table --> +<table width="100%" border="0" cellspacing="0" cellpadding="3" + bgcolor="#ffffff"> +<tr><td bgcolor="#36648b"><b><font color="#ffffff"> +Overview +</font></b></td></tr> +<tr><td bgcolor="#eecfa1"> +<a href="index.html">Home</a> +</td></tr> +<tr><td bgcolor="#eecfa1"> +<a href="security.html"><b>Security</b></li> +</td></tr> +<tr><td bgcolor="#eecfa1"> +<a href="features.html">Features</a> +</td></tr> +<tr><td bgcolor="#eecfa1"> +<a href="i18n.html">Internationalization</a> +</td></tr> +<tr><td bgcolor="#eecfa1"> +<a href="otherstuff.html">Rants, Papers, and Logos</a> +</td></tr> +<tr><td bgcolor="#eecfa1"> +<a href="inthenews.html">Mailman in Use</a> +</td></tr> +<tr><td bgcolor="#eecfa1"> +<a href="prev.html">Previous Releases</a> +</td></tr> +<tr><td bgcolor="#eecfa1"> +<a href="bugs.html">Bugs and Patches</a> +</td></tr> +<tr><td bgcolor="#eecfa1"> +<a href="mirrors.html">Mirrors</a> +</td></tr> +<tr><td bgcolor="#eecfa1"> </td></tr> +<tr><td bgcolor="#36648b"><b><font color="#ffffff"> +Exits +</font></b></td></tr> +<tr><td bgcolor="#eecfa1"> +<a href="http://sf.net/projects/mailman">SF Project Page</a> +</td></tr> +<tr><td bgcolor="#eecfa1"> +<a href="lists.html">Discussion Lists</a> +</td></tr> +<tr><td bgcolor="#eecfa1"> +<a href="http://www.python.org/">Python</a> +</td></tr> +<tr><td bgcolor="#eecfa1"> +<a href="http://www.gnu.org/">GNU</a> +</td></tr> +<tr><td bgcolor="#eecfa1"> +<a href="http://barry.warsaw.us/">Barry Warsaw</a> +</td></tr> +<tr><td bgcolor="#eecfa1"> </td></tr> +<tr><td bgcolor="#36648b"><b><font color="#ffffff"> +Email Us +</font></b></td></tr> +<tr><td bgcolor="#eecfa1"> +<a href="mailto:mailman-users@python.org">mailman-users@python.org</a> +</td></tr> +<tr><td bgcolor="#eecfa1"> + +</td></tr> +<tr><td bgcolor="#eecfa1"> +<a href="http://www.python.org/"><img border=0 + src="./images/PythonPoweredSmall.png" + ></a> <a href="http://sourceforge.net"><img + src="http://sourceforge.net/sflogo.php?group_id=103" + width="88" height="31" border="0" + alt="SourceForge Logo"></a> +</td></tr> +<tr><td bgcolor="#eecfa1"> + +</td></tr> +<tr><td bgcolor="#eecfa1"> +© 1998-2005 +Free Software Foundation, Inc. Verbatim copying and distribution of this +entire article is permitted in any medium, provided this notice is preserved. + +</td></tr> +</table><!-- end of sidebar table --> + +</td> +<td width="15"> </td><!--spacer--> +<!-- end of sidebar cell --> +<!-- start of body cell --> +<td valign="top" width="90%" class="body"><br> +<h3>Mailman security issues</h3> + +The GNU Mailman developers take security very seriously. All Mailman security +concerns should be emailed to +<mailto:mailman-security@python.org>mailman-security@python.org</a>. This is +a closed list that reaches the core Mailman developers. + +<h3>Known issues and fixes</h3> + +<ul> +<li><b>CAN-2005-0202</b> -- This is a very serious issue affecting +the Mailman 2.1 serious up to and including version 2.1.5. Mailman 2.1.6 is +not vulnerable. This issue can allow for the leakage of member passwords. + +<p>The extent of your exposure to this vulnerability depends on factors such +as which version of Apache you are running and how you have it configured. We +do not currently know the exact combination that enables the hole, although we +currently believe that Apache 2.0 sites are not vulnerable and that that many +if not most Apache 1.3 sites are vulnerable. In any event, the safest +approach is to assume the worst and it is recommended that you apply +<a href="CAN-2005-0202.txt">this Mailman patch</a> as soon as possible. + +<p>For additional piece of mind, it is +recommended that you regenerate your list member passwords using +<a href="reset_pw.py">the Mailman 2.1.6 reset_pw.py script</a>. Put this file +in your Mailman installation's bin directory. After running the script, you +might also want to manually run the cron/mailpasswds script so that your users +will be informed of their new passwords. +</li> +</ul> + +</td><!-- end of body cell --> +</tr><!-- end of sidebar/body row --> +</table><!-- end of page table --> +</body></html> |