From barry at python.org Thu Feb 10 15:41:05 2005 From: barry at python.org (Barry Warsaw) Date: Thu Feb 10 15:41:09 2005 Subject: [Mailman-Announce] Critical security update for Mailman 2.1.5 and earlier Message-ID: <1108046465.8044.63.camel@presto.wooz.org> There is a critical security flaw in Mailman 2.1.5 and earlier Mailman 2.1 versions which can allow remote attackers to gain access to member passwords under certain conditions. The extent of the vulnerability depends on what version of Apache you are running, and (possibly) how you have configured your web server. However, the flaw is in Mailman and has been fix in CVS and will be included in the Mailman 2.1.6 release. This issue has been assigned CVE number CAN-2005-0202. We currently believe that Apache 2.0 sites are not vulnerable, and that many if not most Apache 1.3 sites are. In any event, the safest approach is to assume the worst and take the remediation steps indicated below as soon as possible. The quickest fix is to remove the /usr/local/mailman/cgi-bin/private executable. This will disable all access to all private archives on your system. While this is the quickest and easiest way to close the hole, it will also break all your private archives. If all the lists on your site only run public archives, this won't matter to you. Until Mailman 2.1.6 is released, the longer term fix is to apply this patch: http://www.list.org/CAN-2005-0202.txt For additional piece of mind, it is recommended that you regenerate your member passwords. Instructions on how to do this, and more information about this vulnerability are available here: http://www.list.org/security.html My thanks to Tokio Kikuchi, Mark J Cox, and the folks on vendor-sec. This issue was found by Marcus Meissner. -Barry -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: This is a digitally signed message part Url : http://mail.python.org/pipermail/mailman-announce/attachments/20050210/4f0f07e1/attachment.pgp