[Mailman-Users] security heads up - path traversal with 2.1.5

[Chuq Von Rospach]

> 	However, I also take Chuq's point that all security announcements to 
> this list, and all related mailman mailing lists hosted on python.org, 
> should be made by Barry or one of the other core developers.  Even if 
> the information has been publicly released elsewhere, it is not 
> appropriate to post it here unless you are one of those people.
>

The point I tried to make via private email was this:

ignoring that Barry's in charge, and Barry should have the say as to 
when things are announced about Mailman, publishing the data here 
before Barry was ready to have it published and before the patches and 
other documentation, you're making the hack widely available before the 
is distributed.

Yes, it's true that this problem was discussed on a few forums (full 
disclosure for one), meaning the competent blackhats would know about 
it and be able to take advantage of it, but the overall distribution of 
the problem was still quite limited. By choosing to post it to this 
list, instead of it being a serious issue with limited exposure and 
risk, it now becomes a serious issue with endemic exposure and risk -- 
suddenly instead of a few people knowing the hack and being able to 
take advantage of it, basically anyone interested in Maiman could. And 
the instructions for how to protect yourself from it weren't final or 
ready for distribution, much less a patch or the updated release.

To say "it was already out there" is a false justification. it's the 
equivalent of hearing someone talking about it on a cel phone at 
Starbucks, and using that as justification for putting it on 
billboards. it complete changes the dynamics and risks of the exposure, 
putting sites at risk that otherwise wouldn't have been -- because 
instead of the clueful blackhats knowing about the problem, now every 
person on the list does, including all of those technically naive folks 
who just happen to be pissed off for being kicked off a mailing list 
and are looking for a way to get back at an admin.

my position is simple (and unchanged): if it's not your project, don't 
make strategic decisions about it. it was barry's call. Barry and Toiko 
were working the issue and trying to get things ready. By having it 
prematurely disclosed to a wide audience, those plans were screwed, and 
so were Barry's and Toiko's schedules and lives. That, enough, is 
reason enough to not do it, but it also likely caused some sites to get 
hacked that wouldn't have been, if it'd been handled properly.

Today's premature disclosure was like saying that since the adults lit 
candles in the evening, it was okay to hand matches to their children. 
Whatever the best of intentions -- a very bad idea.