[Mailman-Users] security heads up - path traversal with 2.1.5

[Chuq Von Rospach]

If Barry didn't know about it, disclosing it without his approval was 
wrong.

if barry DID know, and hadn't done the disclosure himself, doing it 
without his approval was wrong, because Barry likely had a reason why 
he hadn't mentioned it yet.

Either way, something like this should have been left to the project 
developers (i.e. barry) to disclose.

Some of the mailman team knew about this (I did), and it's been 
actively worked on. One reason it wsan't announced here before was 
because the problem was in very limited distribution publically, and 
putting it on THIS list before the formal patches are ready is a great 
way to teach everyone who didn't come up with the attack what it is, 
while mailman sites don't have a patch to solve it. Before, only a few 
people knew about it (including, obviously, some blackhats). now, lots 
of folks do. That makes life worse, not better, for lots of us.

And, FWIW, there are still some questions about who exactly is 
vulnerable and who isn't, because not everyone can reproduce the 
problem -- it seems to tie into multiple factors, nad it'd be nice if 
we knew who really had to worry...

but for now, everyone has to, since it was brought forward before 
everything was ready.


On Feb 9, 2005, at 12:08 PM, Ron Brogden wrote:

> Hello Brad.  I was under the impression that the Mailman team already 
> knew
> about this issue which is why I didn't go through the above procedure.