blob: 377ac5180eaf2dc77eef250783b77b571f549e7a (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd" >
<html>
<!-- THIS PAGE IS AUTOMATICALLY GENERATED. DO NOT EDIT. -->
<!-- Thu Feb 10 09:41:58 2005 -->
<!-- USING HT2HTML 2.0 -->
<!-- SEE http://ht2html.sf.net -->
<!-- User-specified headers:
Title: Mailman security issues
-->
<head>
<title>Mailman security issues</title>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" >
<meta name="generator" content="HT2HTML/2.0" >
<style type="text/css">
body { margin: 0px; }
</style>
</head>
<body bgcolor="#ffffff" text="#000000"
marginwidth="0" marginheight="0"
link="#0000bb" vlink="#551a8b"
alink="#ff0000">
<!-- start of page table -->
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<!-- start of banner row -->
<tr>
<!-- start of corner cells -->
<td width="150" valign="middle" bgcolor="white" class="corner">
<center>
<a href="./index.html">
<img border=0 src="./images/logo-70.jpg"></a></center> </td>
<td width="15" bgcolor="#eecfa1"> </td><!--spacer-->
<!-- end of corner cells -->
<!-- start of banner -->
<td width="90%" bgcolor="#eecfa1" class="banner">
<!-- start of site links table -->
<table width="100%" border="0"
CELLSPACING=0 CELLPADDING=0
bgcolor="#ffffff">
<tr>
<td bgcolor="#eecfa1">
<a href="./index.html">Home</a>
</td>
<td bgcolor="#eecfa1">
<b>Security</b>
</td>
<td bgcolor="#eecfa1">
<a href="./docs.html">Documentation</a>
</td>
<td bgcolor="#eecfa1">
<a href="./lists.html">Mailing lists</a>
</td>
</tr><tr>
<td bgcolor="#eecfa1">
</td>
<td bgcolor="#eecfa1">
<a href="./help.html">Help</a>
</td>
<td bgcolor="#eecfa1">
<a href="./download.html">Download</a>
</td>
<td bgcolor="#eecfa1">
<a href="./devs.html">Developers</a>
</td>
</tr>
</table><!-- end of site links table -->
</td><!-- end of banner -->
</tr><!-- end of banner row -->
<tr><!-- start of sidebar/body row -->
<!-- start of sidebar cells -->
<td width="150" valign="top" bgcolor="#eecfa1" class="sidebar">
<!-- start of sidebar table -->
<table width="100%" border="0" cellspacing="0" cellpadding="3"
bgcolor="#ffffff">
<tr><td bgcolor="#36648b"><b><font color="#ffffff">
Overview
</font></b></td></tr>
<tr><td bgcolor="#eecfa1">
<a href="index.html">Home</a>
</td></tr>
<tr><td bgcolor="#eecfa1">
<a href="security.html">Security</li>
</td></tr>
<tr><td bgcolor="#eecfa1">
<a href="features.html">Features</a>
</td></tr>
<tr><td bgcolor="#eecfa1">
<a href="i18n.html">Internationalization</a>
</td></tr>
<tr><td bgcolor="#eecfa1">
<a href="otherstuff.html">Rants, Papers, and Logos</a>
</td></tr>
<tr><td bgcolor="#eecfa1">
<a href="inthenews.html">Mailman in Use</a>
</td></tr>
<tr><td bgcolor="#eecfa1">
<a href="prev.html">Previous Releases</a>
</td></tr>
<tr><td bgcolor="#eecfa1">
<a href="bugs.html">Bugs and Patches</a>
</td></tr>
<tr><td bgcolor="#eecfa1">
<a href="mirrors.html">Mirrors</a>
</td></tr>
<tr><td bgcolor="#eecfa1"> </td></tr>
<tr><td bgcolor="#36648b"><b><font color="#ffffff">
Exits
</font></b></td></tr>
<tr><td bgcolor="#eecfa1">
<a href="http://sf.net/projects/mailman">SF Project Page</a>
</td></tr>
<tr><td bgcolor="#eecfa1">
<a href="lists.html">Discussion Lists</a>
</td></tr>
<tr><td bgcolor="#eecfa1">
<a href="http://www.python.org/">Python</a>
</td></tr>
<tr><td bgcolor="#eecfa1">
<a href="http://www.gnu.org/">GNU</a>
</td></tr>
<tr><td bgcolor="#eecfa1">
<a href="http://barry.warsaw.us/">Barry Warsaw</a>
</td></tr>
<tr><td bgcolor="#eecfa1"> </td></tr>
<tr><td bgcolor="#36648b"><b><font color="#ffffff">
Email Us
</font></b></td></tr>
<tr><td bgcolor="#eecfa1">
<a href="mailto:mailman-users@python.org">mailman-users@python.org</a>
</td></tr>
<tr><td bgcolor="#eecfa1">
</td></tr>
<tr><td bgcolor="#eecfa1">
<a href="http://www.python.org/"><img border=0
src="./images/PythonPoweredSmall.png"
></a> <a href="http://sourceforge.net"><img
src="http://sourceforge.net/sflogo.php?group_id=103"
width="88" height="31" border="0"
alt="SourceForge Logo"></a>
</td></tr>
<tr><td bgcolor="#eecfa1">
</td></tr>
<tr><td bgcolor="#eecfa1">
© 1998-2005
Free Software Foundation, Inc. Verbatim copying and distribution of this
entire article is permitted in any medium, provided this notice is preserved.
</td></tr>
</table><!-- end of sidebar table -->
</td>
<td width="15"> </td><!--spacer-->
<!-- end of sidebar cell -->
<!-- start of body cell -->
<td valign="top" width="90%" class="body"><br>
<h3>Mailman security issues</h3>
The GNU Mailman developers take security very seriously. All Mailman security
concerns should be emailed to
<a href="mailto:%6D%61%69%6C%6D%61%6E%2D%73%65%63%75%72%69%74%79%40%70%79%74%68%6F%6E%2E%6F%72%67">mailman-security at python dot org</a>.
This is a closed list that reaches the core Mailman developers.
<h3>Known issues and fixes</h3>
<ul>
<li><b>CAN-2005-0202</b> -- This is a very serious issue affecting the Mailman
2.1 series up to and including version 2.1.5. Mailman 2.1.6 is not
affected. This issue can allow for the leakage of member passwords.
<p>A quick, immediate fix is to remove the /usr/local/mailman/cgi-bin/private
executable. However, this will break any private archives your lists may be
using. See below for a proper patch.
<p>The extent of your exposure to this vulnerability depends on factors such
as which version of Apache you are running and how you have it configured. We
do not currently know the exact combination that enables the hole, although we
currently believe that Apache 2.0 sites are not vulnerable and that that many
if not most Apache 1.3 sites are vulnerable. In any event, the safest
approach is to assume the worst and it is recommended that you apply
<a href="CAN-2005-0202.txt">this Mailman patch</a> as soon as possible.
<p>For additional piece of mind, it is
recommended that you regenerate your list member passwords using
<a href="reset_pw.py">the Mailman 2.1.6 reset_pw.py script</a>. Put this file
in your Mailman installation's bin directory. After running the script, you
might also want to manually run the cron/mailpasswds script so that your users
will be informed of their new passwords.
<p>Credit goes to Marcus Meissner for finding this issue.
</li>
</ul>
</td><!-- end of body cell -->
</tr><!-- end of sidebar/body row -->
</table><!-- end of page table -->
</body></html>
|