[Mailman-Users] Re: [Mailman-Announce] Critical security update for Mailman 2.1.5 and earlier
Axel Beckert
beckert at ecos.de
Thu Feb 10 20:55:34 CET 2005
Hi!
I already patched our servers yesterday after the mail on
full-disclosure about it being hacked. (See
http://lists.netsys.com/pipermail/full-disclosure/2005-February/031562.html.)
The patch mentioned there is without doing the syslog entry, but in
general it does the same.
I just want to share my experiences with the patch:
Am Thu, Feb 10, 2005 at 09:41:05AM -0500, Barry Warsaw schrieb:
> There is a critical security flaw in Mailman 2.1.5 and earlier Mailman
> 2.1 versions
As I noticed, 2.0.x versions (at least 2.0.13) are vulnerable,
too. (As the subject of the announcement also suggested.)
> which can allow remote attackers to gain access to member passwords
> under certain conditions.
Not only to member passwords but to any file readable by the user
under which the Mailman CGI scripts are running, e.g. /etc/passwd on
many systems.
> Until Mailman 2.1.6 is released, the longer term fix is to apply
> this patch:
>
> http://www.list.org/CAN-2005-0202.txt
Which unfortunately only works with Python 2.
Python 1 (respective at least 1.5.2) complains about syntax
errors. (Which, in fact, also helps against the vulnerability by
displaying the "You've found a Mailman bug" page. ;-)
Is there any patch which complies with Python 1 syntax? (Sorry,
although I patched some "features" in Mailman once, I'm not the
Python guy. :)
Kind regards, Axel Beckert
--
-------------------------------------------------------------
Axel Beckert ecos electronic communication services gmbh
it security solutions * web applications with apache and perl
Mail: Tulpenstrasse 5 D-55276 Dienheim near Mainz
E-Mail: beckert at ecos.de Voice: +49 6133 939-220
WWW: http://www.ecos.de/ Fax: +49 6133 939-333
-------------------------------------------------------------
More information about the Mailman-Users
mailing list