[Mailman-Users] security heads up - path traversal with 2.1.5

[Florian Weimer]

* Chuq Von Rospach:

> my position is simple (and unchanged): if it's not your project, don't 
> make strategic decisions about it.

Unfortunately, the crackers that began to attack Mailman sites in
January didn't respect your wishes.

Who has a say in the disclosure of a security bug?  The person who
discovers it?  The bad guy who exploits it?  The person who discovers
evidence of a break-in?  The site administrator who discovers the
exploit used by the bad guy?  The security team which is contacted by
the site adminsitrator?  The author who wrote the software? The
vendors who make money distributing the product?  Site administrators
who have been attacked and don't know about it yet?[1] Site
administrators who might be attacked in the future?

You're trying to establish something like ownership of security bugs.
This might work if all parties cooperate in a process that ensure
secrecy (including your users, who might as well switch to different
software because they don't trust you because you're hding critical
bugs from them).  It breaks down as soon as someone doesn't play by
your rules, as it happened in this case.

[1] full-disclosure was not the first mailing list that was attacked.