Mailman security issues

The GNU Mailman developers take security very seriously. All Mailman security concerns should be emailed to mailman-security at python dot org. This is a closed list that reaches the core Mailman developers.

Known issues and fixes

  • CAN-2005-0202 -- This is a very serious issue affecting the Mailman 2.1 series up to and including version 2.1.5. Mailman 2.1.6 is not affected. This issue can allow for the leakage of member passwords.

    A quick, immediate fix is to remove the /usr/local/mailman/cgi-bin/private executable. However, this will break any private archives your lists may be using. See below for a proper patch.

    The extent of your exposure to this vulnerability depends on factors such as which version of Apache you are running and how you have it configured. We do not currently know the exact combination that enables the hole, although we currently believe that Apache 2.0 sites are not vulnerable and that that many if not most Apache 1.3 sites are vulnerable. In any event, the safest approach is to assume the worst and it is recommended that you apply this Mailman patch as soon as possible.

    For additional piece of mind, it is recommended that you regenerate your list member passwords using the Mailman 2.1.6 reset_pw.py script. Put this file in your Mailman installation's bin directory. After running the script, you might also want to manually run the cron/mailpasswds script so that your users will be informed of their new passwords.

    Credit goes to Marcus Meissner for finding this issue.