There is a critical security flaw in Mailman 2.1.5 and earlier Mailman
2.1 versions which can allow remote attackers to gain access to member
passwords under certain conditions. The extent of the vulnerability
depends on what version of Apache you are running, and (possibly) how
you have configured your web server. However, the flaw is in Mailman
and has been fix in CVS and will be included in the Mailman 2.1.6
This issue has been assigned CVE number CAN-2005-0202.
We currently believe that Apache 2.0 sites are not vulnerable, and that
many if not most Apache 1.3 sites are. In any event, the safest
approach is to assume the worst and take the remediation steps indicated
below as soon as possible.
The quickest fix is to remove the /usr/local/mailman/cgi-bin/private
executable. This will disable all access to all private archives on
your system. While this is the quickest and easiest way to close the
hole, it will also break all your private archives. If all the lists on
your site only run public archives, this won't matter to you.
Until Mailman 2.1.6 is released, the longer term fix is to apply this
For additional piece of mind, it is recommended that you regenerate your
member passwords. Instructions on how to do this, and more information
about this vulnerability are available here:
My thanks to Tokio Kikuchi, Mark J Cox, and the folks on vendor-sec.
This issue was found by Marcus Meissner.