From mailman-developers@python.org Fri Nov 9 22:41:36 2001 From: mailman-developers@python.org (Barry A. Warsaw) Date: Fri, 9 Nov 2001 17:41:36 -0500 Subject: [Mailman-Announce] RELEASE Mailman 2.0.7 Message-ID: <15340.23456.886142.932986@anthem.wooz.org> Hi all, I'm releasing Mailman 2.0.7 which fixes two potential, though obscure security or denial-of-service attacks, along with a few other minor bug fixes. Details: - If you are running Python 1.5.2, it is possible for someone to carefully craft some cookie data, and then trick Mailman into accepting that data, that will crash your Python interpreter. If you are not running Python 1.5.2, you should be invulnerable to the crash, however it is still possible for someone to even more carefully craft some cookie data that could cause arbitrary class constructors to be executed on the server. While I believe it is difficult to exploit this, Mailman 2.0.7 closes this hole completely, by disabling the Cookie.py module's default unpickling of cookie data. - It is possible that Mailman's bounce handler could receive a bounce message that looked like a DSN report, but was incorrectly formatted. Under Mailman 2.0.6's bounce detector, you would get a traceback for a message that would never be removed from the queue, thus potentially wedging your qrunner until the offending message was manually deleted. Mailman 2.0.7 fixes the DSN.py bounce detector. There are a few other useful bug fixes in this release, described in the NEWS excerpt below. I recommend anybody running a version of Mailman up to, and including 2.0.6 to upgrade to 2.0.7. I'm releasing this version only as a tarball -- no patch file is provided at this time. As of this moment, only the SourceForge site is up-to-date, although I expect www.list.org and www.gnu.org to follow soon. The release information is available on SourceForge at: http://sourceforge.net/project/shownotes.php?release_id=60758 and the file can be downloaded from: http://sourceforge.net/project/showfiles.php?group_id=103&release_id=60758 See also: http://www.gnu.org/software/mailman http://www.list.org http://mailman.sf.net Cheers -Barry -------------------- snip snip -------------------- 2.0.7 (09-Nov-2001) Security fixes: - Closed a hole in cookie management whereby some carefully crafted untrusted cookie data could crash Mailman if used with Python 1.5.2, or cause some unintended class constructors to be run on the server. - In the DSN.py bounce handler, a message that was DSN-like, but which was missing a "report-type" parameter could cause a non-deletable bounce message to crash Mailman forever, requiring manual intervention. Bug fixes: - Stray % signs in headers and footers could cause crashes. Now they'll just cause an [INVALID HEADER] or [INVALID FOOTER] string to be added. - The mail->news gateway has been made more robust in the face of duplicate headers, and reserved headers that some news servers reject. If the message is still rejected, it is saved in $prefix/nntp instead of discarded. - Hand-crafted invalid chunk number in membership management display could cause a traceback. From mailman-developers@python.org Wed Nov 28 04:31:54 2001 From: mailman-developers@python.org (Barry A. Warsaw) Date: Tue, 27 Nov 2001 23:31:54 -0500 Subject: [Mailman-Announce] RELEASE Mailman 2.0.8 Message-ID: <15364.26810.428559.248496@anthem.wooz.org> Hot on the heels of Mailman 2.0.7, I'm now releasing 2.0.8 which fixes several cross-site scripting security holes, and a few other minor bug fixes. More information on cross-site scripting exploits in general can be found at http://www.cert.org/advisories/CA-2000-02.html I recommend anybody running a version of Mailman up to, and including 2.0.7 to upgrade to version 2.0.8. I've made both full source tarballs and patches available. Actually, patches going all the way back to 2.0 are now available on SourceForge. See http://sourceforge.net/project/showfiles.php?group_id=103 for links to download all the patches and the source tarball. If you decide to install the patches, please do read the release notes first: http://sourceforge.net/project/shownotes.php?release_id=63042 Currently the SourceForge and www.list.org sites are up-to-date, and I expect the gnu.org site to be updated soon. See also: http://www.gnu.org/software/mailman http://www.list.org http://mailman.sf.net I've also included links on the FAQ page to the Mailman FAQ wizard. Thanks everybody for contributing good entries! (I may do some reorg when I get a chance.) See the FAQ wizard at http://www.python.org/cgi-bin/faqw-mm.py Cheers, -Barry -------------------- snip snip -------------------- 2.0.8 (27-Nov-2001) Security fix release to prevent cross-site scripting exploits. See http://www.cert.org/advisories/CA-2000-02.html for a description of the general problem (not Mailman specific).