[Mailman-Users] any info on this reported exploit?

Tokio Kikuchi tkikuchi at is.kochi-u.ac.jp
Thu Jan 26 21:59:01 CET 2006 

Hi,

Diana Orrick wrote:
> http://www.securityfocus.com/bid/16248/discuss
> 
> GNU Mailman Large Date Data Denial Of Service Vulnerability
> 
> GNU Mailman is prone to a denial of service attack. This issue affects the
> email date parsing functionality of Mailman.
> 
> The vulnerability could be triggered by mailing list posts and will impact
> the availability of mailing lists hosted by the application.
> ______________________________________________________________________
> this notice was from SANS at RISK:
> 
> 06.3.18 CVE: CVE-2005-4153
> Platform: Unix
> Title: GNU Mailman Large Date Data Denial of Service
> Description: Mailman is software to help manage email discussion
> lists, much like Majordomo and SmartList. The application is exposed
> to a denial of service issue when it attempts to parse very large
> numbers of dates contained in email messages. All current versions are
> affected.
> Ref: http://www.securityfocus.com/bid/16248
> ______________________________________________________________________

Once it was only a "bug" which could cause nuisance in administrative 
task.  Now they start to call it a "DoS" and threaten us. ;-)

Mailman sends messages in both regular and digest delivery.  The digest 
processing is inserted in the middle of regular delivery if the messages 
accumulated to a preset amount.  If there is a serious error in the 
digest processing, the regular delivery fails.  Since the messages are 
accumulated already, arrival of following message triggers the digest 
processing again and also fail in the subsequent regular delivery.

This is the mechanism of "Denial of Service".

Therefore, the site administrator should check the qfiles/shunt 
directory and the logs/error file periodically.

Brad Knowls' Daily Status Report should help in this respect.  I really 
want to rewrite it in python and include in the official cron jobs (if I 
had enough time before the next release of mailman 2.2).
http://sourceforge.net/tracker/index.php?func=detail&aid=1123383&group_id=103&atid=300103

Mailman has many check points that prevents such a malicious messages to 
be passed through and site/list admins could be able to find workarounds.

But, from mailman-2.1.7, we solved the problem by separating the error 
from regular delivery by the python "try-except" techique.  The digest 
delivery will be still stopped by the malicious message but this should 
be notified to the site administrator by the cron/senddigests command.

So, the answer to this CVE is "upgrade to 2.1.7."

We found mailman-2.1.7 still has a few bugs and also uploaded an 
official patch:
http://sourceforge.net/tracker/index.php?func=detail&aid=1405790&group_id=103&atid=300103
I hope we can announce mailman-2.1.8a1 very soon.

> 
> --------------------------------------------------------------
> We are running Mailman 2.1.5 and have just found extraordinary
> IO wait issues requiring shutdown|restart of Mailman.

This may or may not related to the DoS issue.  I suggest checking lock 
files, shunt directory, and pending requests and search mailman FAQ.

> 
> The notice suggests all versions are vulnerable, is this the case?
> If so, suggested workaround? Patch/upgrade coming?

Mailman-2.1.7 is not vulnerable to this issue.

Cheers,

-- 
Tokio Kikuchi

More information about the Mailman-Users mailing list