[Mailman-Users] any info on this reported exploit?

Thu Jan 26 22:17:15 CET 2006

Thank you for your prompt response and suggestion!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Diana Mayer Orrick              email: orrick at ucs.fsu.edu
 University Computing Services          ph: (850) 644-2591
 Florida State University              fax: (850) 644-8722
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

On Fri, 27 Jan 2006, Tokio Kikuchi wrote:

> Hi,
>
> Diana Orrick wrote:
> > http://www.securityfocus.com/bid/16248/discuss
> >
> > GNU Mailman Large Date Data Denial Of Service Vulnerability
> >
> > GNU Mailman is prone to a denial of service attack. This issue affects the
> > email date parsing functionality of Mailman.
> >
> > The vulnerability could be triggered by mailing list posts and will impact
> > the availability of mailing lists hosted by the application.
> > ______________________________________________________________________
> > this notice was from SANS at RISK:
> >
> > 06.3.18 CVE: CVE-2005-4153
> > Platform: Unix
> > Title: GNU Mailman Large Date Data Denial of Service
> > Description: Mailman is software to help manage email discussion
> > lists, much like Majordomo and SmartList. The application is exposed
> > to a denial of service issue when it attempts to parse very large
> > numbers of dates contained in email messages. All current versions are
> > affected.
> > Ref: http://www.securityfocus.com/bid/16248
> > ______________________________________________________________________
>
> Once it was only a "bug" which could cause nuisance in administrative
> task.  Now they start to call it a "DoS" and threaten us. ;-)
>
> Mailman sends messages in both regular and digest delivery.  The digest
> processing is inserted in the middle of regular delivery if the messages
> accumulated to a preset amount.  If there is a serious error in the
> digest processing, the regular delivery fails.  Since the messages are
> accumulated already, arrival of following message triggers the digest
> processing again and also fail in the subsequent regular delivery.
>
> This is the mechanism of "Denial of Service".
>
> Therefore, the site administrator should check the qfiles/shunt
> directory and the logs/error file periodically.
>
> Brad Knowls' Daily Status Report should help in this respect.  I really
> want to rewrite it in python and include in the official cron jobs (if I
> had enough time before the next release of mailman 2.2).
> http://sourceforge.net/tracker/index.php?func=detail&aid=1123383&group_id=103&atid=300103
>
> Mailman has many check points that prevents such a malicious messages to
> be passed through and site/list admins could be able to find workarounds.
>
> But, from mailman-2.1.7, we solved the problem by separating the error
> from regular delivery by the python "try-except" techique.  The digest
> delivery will be still stopped by the malicious message but this should
> be notified to the site administrator by the cron/senddigests command.
>
> So, the answer to this CVE is "upgrade to 2.1.7."
>
> We found mailman-2.1.7 still has a few bugs and also uploaded an
> official patch:
> http://sourceforge.net/tracker/index.php?func=detail&aid=1405790&group_id=103&atid=300103
> I hope we can announce mailman-2.1.8a1 very soon.
>
> >
> > --------------------------------------------------------------
> > We are running Mailman 2.1.5 and have just found extraordinary
> > IO wait issues requiring shutdown|restart of Mailman.
>
> This may or may not related to the DoS issue.  I suggest checking lock
> files, shunt directory, and pending requests and search mailman FAQ.
>
> >
> > The notice suggests all versions are vulnerable, is this the case?
> > If so, suggested workaround? Patch/upgrade coming?
>
> Mailman-2.1.7 is not vulnerable to this issue.
>
> Cheers,
>
> --
> Tokio Kikuchi
>