From b2a8ab50ca10ff83839cd876f7f9a6495c33293c Mon Sep 17 00:00:00 2001 From: bwarsaw <> Date: Thu, 10 Feb 2005 14:10:10 +0000 Subject: Add information regarding CAN-2005-0202 vulnerability, with patches and recommendations. Also include reference to a new email address folks can use to contact the Mailman security response team. --- admin/www/CAN-2005-0202.txt | 34 ++++++++ admin/www/MMGenerator.py | 4 +- admin/www/admins.html | 13 ++- admin/www/bugs.html | 13 ++- admin/www/devs.html | 18 ++-- admin/www/docs.html | 13 ++- admin/www/download.html | 21 +++-- admin/www/faq.html | 21 +++-- admin/www/features.html | 21 +++-- admin/www/help.html | 21 +++-- admin/www/i18n.html | 13 ++- admin/www/index.ht | 7 +- admin/www/index.html | 18 +++- admin/www/install.html | 21 +++-- admin/www/inthenews.html | 11 ++- admin/www/jwzrebuttal.html | 21 +++-- admin/www/links.h | 1 + admin/www/lists.html | 21 +++-- admin/www/mgrs.html | 21 +++-- admin/www/mirrors.html | 21 +++-- admin/www/otherstuff.html | 21 +++-- admin/www/prev.html | 21 +++-- admin/www/requirements.html | 21 +++-- admin/www/reset_pw.py | 90 ++++++++++++++++++++ admin/www/security.ht | 37 +++++++++ admin/www/security.html | 197 ++++++++++++++++++++++++++++++++++++++++++++ admin/www/site.html | 13 ++- admin/www/todo.ht | 2 +- admin/www/todo.html | 23 ++++-- admin/www/users.html | 13 ++- admin/www/version.html | 11 ++- 31 files changed, 679 insertions(+), 104 deletions(-) create mode 100644 admin/www/CAN-2005-0202.txt create mode 100644 admin/www/reset_pw.py create mode 100644 admin/www/security.ht create mode 100644 admin/www/security.html diff --git a/admin/www/CAN-2005-0202.txt b/admin/www/CAN-2005-0202.txt new file mode 100644 index 00000000..4c8cd240 --- /dev/null +++ b/admin/www/CAN-2005-0202.txt @@ -0,0 +1,34 @@ +Index: private.py +=================================================================== +RCS file: /cvsroot/mailman/mailman/Mailman/Cgi/private.py,v +retrieving revision 2.16.2.1 +diff -u -r2.16.2.1 private.py +--- private.py 8 Feb 2003 07:13:50 -0000 2.16.2.1 ++++ private.py 10 Feb 2005 03:34:21 -0000 +@@ -1,4 +1,4 @@ +-# Copyright (C) 1998-2003 by the Free Software Foundation, Inc. ++# Copyright (C) 1998-2005 by the Free Software Foundation, Inc. + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of the GNU General Public License +@@ -35,13 +35,17 @@ + _ = i18n._ + i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE) + ++SLASH = '/' ++ + + + def true_path(path): + "Ensure that the path is safe by removing .." +- path = path.replace('../', '') +- path = path.replace('./', '') +- return path[1:] ++ parts = path.split(SLASH) ++ safe = [x for x in parts if x not in ('.', '..')] ++ if parts <> safe: ++ syslog('mischief', 'Directory traversal attack thwarted') ++ return SLASH.join(safe)[1:] + + + diff --git a/admin/www/MMGenerator.py b/admin/www/MMGenerator.py index df632984..73842183 100644 --- a/admin/www/MMGenerator.py +++ b/admin/www/MMGenerator.py @@ -17,8 +17,10 @@ from LinkFixer import LinkFixer sitelinks = [ # Row 1 ('%(rootdir)s/index.html', 'Home'), + ('%(rootdir)s/security.html', 'Security'), ('%(rootdir)s/docs.html', 'Documentation'), ('%(rootdir)s/lists.html', 'Mailing lists'), + (None, ' '), ('%(rootdir)s/help.html', 'Help'), ('%(rootdir)s/download.html', 'Download'), ('%(rootdir)s/devs.html', 'Developers'), @@ -61,7 +63,7 @@ entire article is permitted in any medium, provided this notice is preserved. # sitelink_fixer = LinkFixer(f.myurl(), rootdir) sitelink_fixer.massage(sitelinks, self.__d, aboves=1) - Banner.__init__(self, sitelinks, cols=3) + Banner.__init__(self, sitelinks, cols=4) # kludge! ## for i in range(len(p.sidebar)-1, -1, -1): ## if p.sidebar[i] == 'Email Us': diff --git a/admin/www/admins.html b/admin/www/admins.html index 00a2101f..97f3fefd 100644 --- a/admin/www/admins.html +++ b/admin/www/admins.html @@ -2,7 +2,7 @@ "http://www.w3.org/TR/html4/loose.dtd" > - + - + - + + + -
Home +Security + Documentation @@ -52,6 +55,9 @@ CELLSPACING=0 CELLPADDING=0
+  + Help @@ -111,7 +117,7 @@ Email Us  
-© 1998-2003 +© 1998-2005 Free Software Foundation, Inc. Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved. @@ -122,7 +128,7 @@ entire article is permitted in any medium, provided this notice is preserved.   
+

Developer Resources

If you're the kind of person who loves to get elbow deep in code, diff --git a/admin/www/docs.html b/admin/www/docs.html index e015f616..877c1f21 100644 --- a/admin/www/docs.html +++ b/admin/www/docs.html @@ -2,7 +2,7 @@ "http://www.w3.org/TR/html4/loose.dtd" > - + - + + + + -
Home +Security + Documentation @@ -52,6 +55,9 @@ CELLSPACING=0 CELLPADDING=0
+  + Help @@ -78,6 +84,9 @@ Overview Home
+Security +
Features
@@ -155,7 +164,7 @@ Email Us  
-© 1998-2003 +© 1998-2005 Free Software Foundation, Inc. Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved. @@ -166,7 +175,7 @@ entire article is permitted in any medium, provided this notice is preserved.   
+

Requirements

You must have a mail server (MTA) that you can send messages to, and a diff --git a/admin/www/faq.html b/admin/www/faq.html index 74c4fcfa..8f5c4b7c 100644 --- a/admin/www/faq.html +++ b/admin/www/faq.html @@ -2,7 +2,7 @@ "http://www.w3.org/TR/html4/loose.dtd" > - + + + + -
Home +Security + Documentation @@ -52,6 +55,9 @@ CELLSPACING=0 CELLPADDING=0
+  + Help @@ -78,6 +84,9 @@ Overview Home
+Security +
Features
@@ -139,7 +148,7 @@ Email Us  
-© 1998-2003 +© 1998-2005 Free Software Foundation, Inc. Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved. @@ -150,7 +159,7 @@ entire article is permitted in any medium, provided this notice is preserved.   
+
See also the Mailman FAQ Wizard for more information. diff --git a/admin/www/features.html b/admin/www/features.html index 87073190..35bc252f 100644 --- a/admin/www/features.html +++ b/admin/www/features.html @@ -2,7 +2,7 @@ "http://www.w3.org/TR/html4/loose.dtd" > - + + + + -
Home +Security + Documentation @@ -52,6 +55,9 @@ CELLSPACING=0 CELLPADDING=0
+  + Help @@ -78,6 +84,9 @@ Overview Home
+Security +
Features
@@ -127,7 +136,7 @@ Email Us  
-© 1998-2003 +© 1998-2005 Free Software Foundation, Inc. Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved. @@ -138,7 +147,7 @@ entire article is permitted in any medium, provided this notice is preserved.   
+

Mailman Features

Here's a brief description of the new features in Mailman 2.1 diff --git a/admin/www/help.html b/admin/www/help.html index a36cf262..0e6e5e1b 100644 --- a/admin/www/help.html +++ b/admin/www/help.html @@ -2,7 +2,7 @@ "http://www.w3.org/TR/html4/loose.dtd" > - + + + + -
Home +Security + Documentation @@ -52,6 +55,9 @@ CELLSPACING=0 CELLPADDING=0
+  + Help @@ -78,6 +84,9 @@ Overview Home
+Security +
Features
@@ -134,7 +143,7 @@ Email Us  
-© 1998-2003 +© 1998-2005 Free Software Foundation, Inc. Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved. @@ -145,7 +154,7 @@ entire article is permitted in any medium, provided this notice is preserved.   
+

Help

There are many resources available for those who need help with diff --git a/admin/www/i18n.html b/admin/www/i18n.html index 3b3b24ae..42420f1f 100644 --- a/admin/www/i18n.html +++ b/admin/www/i18n.html @@ -2,7 +2,7 @@ "http://www.w3.org/TR/html4/loose.dtd" > - + - + - + + + + -
Home +Security + Documentation @@ -52,6 +55,9 @@ CELLSPACING=0 CELLPADDING=0
+  + Help @@ -78,6 +84,9 @@ Overview Home
+Security +
Features
@@ -155,7 +164,7 @@ Email Us  
-© 1998-2003 +© 1998-2005 Free Software Foundation, Inc. Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved. @@ -166,7 +175,7 @@ entire article is permitted in any medium, provided this notice is preserved.   
+

Installing Mailman

For detailed installation instructions, please see the diff --git a/admin/www/inthenews.html b/admin/www/inthenews.html index fc207176..8e3bb2d4 100644 --- a/admin/www/inthenews.html +++ b/admin/www/inthenews.html @@ -2,7 +2,7 @@ "http://www.w3.org/TR/html4/loose.dtd" > - + - + + + + -
Home +Security + Documentation @@ -52,6 +55,9 @@ CELLSPACING=0 CELLPADDING=0
+  + Help @@ -78,6 +84,9 @@ Overview Home
+Security +
Features
@@ -146,7 +155,7 @@ Email Us  
-© 1998-2003 +© 1998-2005 Free Software Foundation, Inc. Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved. @@ -157,7 +166,7 @@ entire article is permitted in any medium, provided this notice is preserved.   
+

Mailman Considered Beneficial

Jamie Zawinski posted an article in 2002 titled

Overview

  • Home +
  • Security
  • Features
  • Internationalization
  • Rants, Papers, and Logos diff --git a/admin/www/lists.html b/admin/www/lists.html index a6073d4c..218f9d58 100644 --- a/admin/www/lists.html +++ b/admin/www/lists.html @@ -2,7 +2,7 @@ "http://www.w3.org/TR/html4/loose.dtd" > - + + + + -
    Home +Security + Documentation @@ -52,6 +55,9 @@ CELLSPACING=0 CELLPADDING=0
    +  + Help @@ -78,6 +84,9 @@ Overview Home
    +Security +
    Features
    @@ -139,7 +148,7 @@ Email Us  
    -© 1998-2003 +© 1998-2005 Free Software Foundation, Inc. Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved. @@ -150,7 +159,7 @@ entire article is permitted in any medium, provided this notice is preserved.   
    +

    Mailman mailing lists

    We have several mailing lists devoted to Mailman, which also provide a diff --git a/admin/www/mgrs.html b/admin/www/mgrs.html index e4d074ab..c5fbea69 100644 --- a/admin/www/mgrs.html +++ b/admin/www/mgrs.html @@ -2,7 +2,7 @@ "http://www.w3.org/TR/html4/loose.dtd" > - + + + + -
    Home +Security + Documentation @@ -52,6 +55,9 @@ CELLSPACING=0 CELLPADDING=0
    +  + Help @@ -78,6 +84,9 @@ Overview Home
    +Security +
    Features
    @@ -158,7 +167,7 @@ Email Us  
    -© 1998-2003 +© 1998-2005 Free Software Foundation, Inc. Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved. @@ -169,7 +178,7 @@ entire article is permitted in any medium, provided this notice is preserved.   
    +

    List Manager Documentation

    Chris Kolar has made diff --git a/admin/www/mirrors.html b/admin/www/mirrors.html index ead13666..bdbe4220 100644 --- a/admin/www/mirrors.html +++ b/admin/www/mirrors.html @@ -2,7 +2,7 @@ "http://www.w3.org/TR/html4/loose.dtd" > - + + + + -
    Home +Security + Documentation @@ -52,6 +55,9 @@ CELLSPACING=0 CELLPADDING=0
    +  + Help @@ -78,6 +84,9 @@ Overview Home
    +Security +
    Features
    @@ -139,7 +148,7 @@ Email Us  
    -© 1998-2003 +© 1998-2005 Free Software Foundation, Inc. Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved. @@ -150,7 +159,7 @@ entire article is permitted in any medium, provided this notice is preserved.   
    +

    Mailman Web Page Mirrors

    These web pages are mirrored in several locations for your diff --git a/admin/www/otherstuff.html b/admin/www/otherstuff.html index 0c177812..0d663994 100644 --- a/admin/www/otherstuff.html +++ b/admin/www/otherstuff.html @@ -2,7 +2,7 @@ "http://www.w3.org/TR/html4/loose.dtd" > - + + + + -
    Home +Security + Documentation @@ -52,6 +55,9 @@ CELLSPACING=0 CELLPADDING=0
    +  + Help @@ -78,6 +84,9 @@ Overview Home
    +Security +
    Features
    @@ -146,7 +155,7 @@ Email Us  
    -© 1998-2004 +© 1998-2005 Free Software Foundation, Inc. Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved. @@ -157,7 +166,7 @@ entire article is permitted in any medium, provided this notice is preserved.   
    +

    Rants

    Here are some random rants on Mailman, email, list servers, and diff --git a/admin/www/prev.html b/admin/www/prev.html index 37a73c67..53d328e0 100644 --- a/admin/www/prev.html +++ b/admin/www/prev.html @@ -2,7 +2,7 @@ "http://www.w3.org/TR/html4/loose.dtd" > - + + + + -
    Home +Security + Documentation @@ -52,6 +55,9 @@ CELLSPACING=0 CELLPADDING=0
    +  + Help @@ -78,6 +84,9 @@ Overview Home
    +Security +
    Features
    @@ -139,7 +148,7 @@ Email Us  
    -© 1998-2003 +© 1998-2005 Free Software Foundation, Inc. Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved. @@ -150,7 +159,7 @@ entire article is permitted in any medium, provided this notice is preserved.   
    +

    Previous Mailman Releases

    - + + + + -
    Home +Security + Documentation @@ -52,6 +55,9 @@ CELLSPACING=0 CELLPADDING=0
    +  + Help @@ -78,6 +84,9 @@ Overview Home
    +Security +
    Features
    @@ -162,7 +171,7 @@ Email Us  
    -© 1998-2003 +© 1998-2005 Free Software Foundation, Inc. Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved. @@ -173,7 +182,7 @@ entire article is permitted in any medium, provided this notice is preserved.   
    +

    Requirements

    Mailman currently runs only on GNU/Linux and any other Un*x-like diff --git a/admin/www/reset_pw.py b/admin/www/reset_pw.py new file mode 100644 index 00000000..6bf86747 --- /dev/null +++ b/admin/www/reset_pw.py @@ -0,0 +1,90 @@ +#! /usr/bin/env python +# +# Copyright (C) 2004 by the Free Software Foundation, Inc. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + +# Inspired by Florian Weimer. + +"""Reset the passwords for members of a mailing list. + +This script resets all the passwords of a mailing list's members. It can also +be used to reset the lists of all members of all mailing lists, but it is your +responsibility to let the users know that their passwords have been changed. + +This script is intended to be run as a bin/withlist script, i.e. + +% bin/withlist -l -r reset_pw listname [options] + +Options: + -v / --verbose + Print what the script is doing. +""" + +import sys +import getopt + +import paths +from Mailman import Utils +from Mailman.i18n import _ + + +try: + True, False +except NameError: + True = 1 + False = 0 + + + +def usage(code, msg=''): + if code: + fd = sys.stderr + else: + fd = sys.stdout + print >> fd, _(__doc__.replace('%', '%%')) + if msg: + print >> fd, msg + sys.exit(code) + + + +def reset_pw(mlist, *args): + try: + opts, args = getopt.getopt(args, 'v', ['verbose']) + except getopt.error, msg: + usage(1, msg) + + verbose = False + for opt, args in opts: + if opt in ('-v', '--verbose'): + verbose = True + + listname = mlist.internal_name() + if verbose: + print _('Changing passwords for list: %(listname)s') + + for member in mlist.getMembers(): + randompw = Utils.MakeRandomPassword() + mlist.setMemberPassword(member, randompw) + if verbose: + print _('New password for member %(member)40s: %(randompw)s') + + mlist.Save() + + + +if __name__ == '__main__': + usage(0) diff --git a/admin/www/security.ht b/admin/www/security.ht new file mode 100644 index 00000000..b139c7c2 --- /dev/null +++ b/admin/www/security.ht @@ -0,0 +1,37 @@ +Title: Mailman security issues + +

    Mailman security issues

    + +The GNU Mailman developers take security very seriously. All Mailman security +concerns should be emailed to +mailman-security at python dot org. +This is a closed list that reaches the core Mailman developers. + +

    Known issues and fixes

    + +
      + +
    • CAN-2005-0202 -- This is a very serious issue affecting the Mailman +2.1 series up to and including version 2.1.5. Mailman 2.1.6 is not +affected. This issue can allow for the leakage of member passwords. + +

      A quick, immediate fix is to remove the /usr/local/mailman/cgi-bin/private +executable. However, this will break any private archives your lists may be +using. See below for a proper patch. + +

      The extent of your exposure to this vulnerability depends on factors such +as which version of Apache you are running and how you have it configured. We +do not currently know the exact combination that enables the hole, although we +currently believe that Apache 2.0 sites are not vulnerable and that that many +if not most Apache 1.3 sites are vulnerable. In any event, the safest +approach is to assume the worst and it is recommended that you apply +this Mailman patch as soon as possible. + +

      For additional piece of mind, it is +recommended that you regenerate your list member passwords using +the Mailman 2.1.6 reset_pw.py script. Put this file +in your Mailman installation's bin directory. After running the script, you +might also want to manually run the cron/mailpasswds script so that your users +will be informed of their new passwords. +

      • +
    diff --git a/admin/www/security.html b/admin/www/security.html new file mode 100644 index 00000000..4d7c40cb --- /dev/null +++ b/admin/www/security.html @@ -0,0 +1,197 @@ + + + + + + + + + +Mailman security issues + + + + + + + + + + + + + + + + + + + + + + + + +
    + +
    + +
    		  
    + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +Overview +
    +Home +
    +Security +
    +Features +
    +Internationalization +
    +Rants, Papers, and Logos +
    +Mailman in Use +
    +Previous Releases +
    +Bugs and Patches +
    +Mirrors +
     
    +Exits +
    +SF Project Page +
    +Discussion Lists +
    +Python +
    +GNU +
    +Barry Warsaw +
     
    +Email Us +
    +mailman-users@python.org +
    +  +
    + SourceForge Logo +
    +  +
    +© 1998-2005 +Free Software Foundation, Inc. Verbatim copying and distribution of this +entire article is permitted in any medium, provided this notice is preserved. + +
    + +    		  
    +

    Mailman security issues

    + +The GNU Mailman developers take security very seriously. All Mailman security +concerns should be emailed to +mailman-security@python.org. This is +a closed list that reaches the core Mailman developers. + +

    Known issues and fixes

    + +
      +
    • CAN-2005-0202 -- This is a very serious issue affecting +the Mailman 2.1 serious up to and including version 2.1.5. Mailman 2.1.6 is +not vulnerable. This issue can allow for the leakage of member passwords. + +

      The extent of your exposure to this vulnerability depends on factors such +as which version of Apache you are running and how you have it configured. We +do not currently know the exact combination that enables the hole, although we +currently believe that Apache 2.0 sites are not vulnerable and that that many +if not most Apache 1.3 sites are vulnerable. In any event, the safest +approach is to assume the worst and it is recommended that you apply +this Mailman patch as soon as possible. + +

      For additional piece of mind, it is +recommended that you regenerate your list member passwords using +the Mailman 2.1.6 reset_pw.py script. Put this file +in your Mailman installation's bin directory. After running the script, you +might also want to manually run the cron/mailpasswds script so that your users +will be informed of their new passwords. +

      • +
    + +
    + diff --git a/admin/www/site.html b/admin/www/site.html index ea5566fd..d997c3c8 100644 --- a/admin/www/site.html +++ b/admin/www/site.html @@ -2,7 +2,7 @@ "http://www.w3.org/TR/html4/loose.dtd" > - + - + + + + -
    Home +Security + Documentation @@ -52,6 +55,9 @@ CELLSPACING=0 CELLPADDING=0
    +  + Help @@ -78,6 +84,9 @@ Overview Home
    +Security +
    Features
    @@ -139,7 +148,7 @@ Email Us  
    -© 1998-2003 +© 1998-2005 Free Software Foundation, Inc. Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved. @@ -150,12 +159,12 @@ entire article is permitted in any medium, provided this notice is preserved.   
    +

    The Mailman Wishlist

    -

    (Last Update: $Date: 2003-10-07 23:26:58 +0100 (Tue, 07 Oct 2003) $) +

    (Last Update: $Date: 2005-02-10 14:10:10 +0000 (Thu, 10 Feb 2005) $)

    Here's the wish list for future versions of Mailman. Many new features have been added to Mailman 2.1, and it is currently diff --git a/admin/www/users.html b/admin/www/users.html index 2cd35c47..3ab57783 100644 --- a/admin/www/users.html +++ b/admin/www/users.html @@ -2,7 +2,7 @@ "http://www.w3.org/TR/html4/loose.dtd" > - + - +