CAN-2005-0202 -- This is a very serious issue affecting the Mailman
2.1 series up to and including version 2.1.5. Mailman 2.1.6 is not
affected. This issue can allow for the leakage of member passwords.
A quick, immediate fix is to remove the /usr/local/mailman/cgi-bin/private
executable. However, this will break any private archives your lists may be
using. See below for a proper patch.
The extent of your exposure to this vulnerability depends on factors such
as which version of Apache you are running and how you have it configured. We
do not currently know the exact combination that enables the hole, although we
currently believe that Apache 2.0 sites are not vulnerable and that that many
if not most Apache 1.3 sites are vulnerable. In any event, the safest
approach is to assume the worst and it is recommended that you apply
this Mailman patch as soon as possible.
For additional piece of mind, it is
recommended that you regenerate your list member passwords using
the Mailman 2.1.6 reset_pw.py script. Put this file
in your Mailman installation's bin directory. After running the script, you
might also want to manually run the cron/mailpasswds script so that your users
will be informed of their new passwords.
Credit goes to Marcus Meissner for finding this issue.