| +Home + | ++Security + | ++Documentation + | ++Mailing lists + | +
| + + | ++Help + | ++Download + | ++Developers + | +
| +Overview + |
| +Home + |
| +Security + |
| +Features + |
| +Internationalization + |
| +Rants, Papers, and Logos + |
| +Mailman in Use + |
| +Previous Releases + |
| +Bugs and Patches + |
| +Mirrors + |
| +Exits + |
| +SF Project Page + |
| +Discussion Lists + |
| +Python + |
| +GNU + |
| +Barry Warsaw + |
| +Email Us + |
| +mailman-users@python.org + |
| + + |
+ |
| + + |
| +© 1998-2005 +Free Software Foundation, Inc. Verbatim copying and distribution of this +entire article is permitted in any medium, provided this notice is preserved. + + |
+
Mailman security issues
+ +The GNU Mailman developers take security very seriously. All Mailman security +concerns should be emailed to +Known issues and fixes
+ +-
+
- CAN-2005-0202 -- This is a very serious issue affecting
+the Mailman 2.1 serious up to and including version 2.1.5. Mailman 2.1.6 is
+not vulnerable. This issue can allow for the leakage of member passwords.
+
+
The extent of your exposure to this vulnerability depends on factors such +as which version of Apache you are running and how you have it configured. We +do not currently know the exact combination that enables the hole, although we +currently believe that Apache 2.0 sites are not vulnerable and that that many +if not most Apache 1.3 sites are vulnerable. In any event, the safest +approach is to assume the worst and it is recommended that you apply +this Mailman patch as soon as possible. + +
For additional piece of mind, it is +recommended that you regenerate your list member passwords using +the Mailman 2.1.6 reset_pw.py script. Put this file +in your Mailman installation's bin directory. After running the script, you +might also want to manually run the cron/mailpasswds script so that your users +will be informed of their new passwords. +
+