[Mailman-Users] any info on this reported exploit?

Mon Jan 30 03:03:25 CET 2006

>>>>> "Jim" == Jim Popovitch <jimpop at yahoo.com> writes:

    Jim> She was asking a very important question about something that
    Jim> was already public.

What important question?  It's an easy to execute exploit (in fact, it
occasionally happens due to ordinary mail, that's why it was found and
fixed before anybody asked about the DoS aspect) of very low interest
to black hats and small threat to a well-run site in most cases.
IIRC, it's been discussed on the list (though not as a security
threat).

The only interesting thing that happened was that somebody
sensationalized that problem by labelling it a potential DoS attack.
That doesn't make it important, except to Diana and others following
that channel.  Anybody who hadn't noticed would never notice.

So what is the scenario if Diana posts to mailman-security?  She gets
an answer and nobody ever notices.

And if three people ask on mailman-security?  There's a short post to
mailman-users, and it ends up in the faq, because it's a PITA for the
developers to keep answering it.

What's wrong with that?

    Jim> Are you suggesting that all "Hey, has this been fixed yet"
    Jim> questions should be off list and only one-on-one with
    Jim> mailman-security?

No, only for those defects that are not going to affect users unless
deliberately exploited.  For such security "holes", yes, "discuss only
with mailman-security" is announced policy.

    Jim> er, Right.... (the elitism really shines through Brad).

Please watch your language.  "Elitism" means restricting something to
a select group because of their personal qualifications.  The security
policy, and everything Brad has posted on the matter, says discussion
about potential exploits should be restricted to those with "need to
know", which is defined as "the ability to fix the problem and/or the
authority to distribute 'official' fixes."  This is a functional, not
a personal, qualification.

You're welcome to advocate a different definition of need-to-know, one
which includes large numbers of users who cannot contribute code or
distribute fixes, but the restrictive one above the one in common use
in the developer community.  To my knowledge nobody (in the open
source community) likes the implications for information
dissemination.

I admit that this is my personal interpretation of the discussions
that have gone on (in the Mailman community and elsewhere), but it is
the best I can come up with and honestly intended.  Barry, Tokio, and
Mark are welcome to jointly or severally repudiate it. :-)

-- 
School of Systems and Information Engineering http://turnbull.sk.tsukuba.ac.jp
University of Tsukuba                    Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
               Ask not how you can "do" free software business;
              ask what your business can "do for" free software.