Mailman 3 November 2021 - Mailman-Developers

before next release: disable backscatter in default installation
by Jo Rhett 07 Nov '22

07 Nov '22

Hi. There's a fairly simple problem here that needs to be addressed. And it's mostly a documentation/install problem. I'm hoping we can get this resolved before the next release. PROBLEM: Mailman comes out of the box ready to backscatter spam people. Yes, it's easy enough to fix. But because it comes stock this way, and is documented to install this way, most people install it to do this. Those of us who work in abuse departments are tired of hearing "well that's how Mailman works". We also object to having to teach people how to fix their mailman installations because it's not documented in the current manual. This is *exactly* like Sendmail 14 years ago. We didn't accept it then, and Sendmail fixed the problem. RESOLUTION: Mailman default installation should not backscatter in a default configuration. 1. Don't create backscatter aliases for subscribe/unsubscribe/etc by default. Nearly everyone uses web based signup. 2. Discard or hold messages from non-subscribers by default. I would think that it would be perfectly reasonable to have documentation on how to enable the 1980s-style -request / -subscribe etc aliases. However this documentation should have a note that this is against the AUP of nearly every network provider, and enabling it will likely cause them to get listed in various blacklists as a backscatter source. FYI: I know that this goes against the instincts of many old-time mailing list advocates here. But after dealing with a 10k/hour backscatter DoS my tolerance for this problem is understandably limited. Yes, it was a sweet day back in the 1980s. I was running a mailing list server and several UUCP gateways at the time, so I remember them well. But those days are past, and we need to deal with the reality of today. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness

21 168

Mailman 2.1.38 security release
by Mark Sapiro 30 Nov '21

30 Nov '21

A CSRF vulnerability has been reported by Riccardo Schirone of RedHat. This is assigned CVE-2021-44227. I plan to release Mailman 2.1.38 on Tuesday, 30 November to fix this. -- Mark Sapiro <mark(a)msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

1 1

Mailman 2.1 security release
by Mark Sapiro 12 Nov '21

12 Nov '21

I am pleased to announce the release of Mailman 2.1.36. This is a security release. It fixes https://bugs.launchpad.net/mailman/+bug/1949401 CVE-2021-43331 and https://bugs.launchpad.net/mailman/+bug/1949403 CVE-2021-43332. The former of these could allow an XSS attack against the user options page and the latter could allow a list moderator to discover the list admin password via a brute force attack against the admindb page CSRF token. For those who just want a patch for the security issues, patches are atteched. As noted Mailman 2.1.30 was the last feature release of the Mailman 2.1 branch from the GNU Mailman project. There has been some discussion as to what this means. It means there will be no more releases from the GNU Mailman project containing any new features. There may be future patch releases to address the following: i18n updates. security issues. bugs affecting operation for which no satisfactory workaround exists. Mailman 2.1.36 is the sixth such patch release. Mailman is free software for managing email mailing lists and e-newsletters. Mailman is used for all the python.org and SourceForge.net mailing lists, as well as at hundreds of other sites. For more information, please see our web site at one of: http://www.list.org https://www.gnu.org/software/mailman http://mailman.sourceforge.net/ Mailman 2.1.36 can be downloaded from https://launchpad.net/mailman/2.1/ https://ftp.gnu.org/gnu/mailman/ https://sourceforge.net/projects/mailman/ -- Mark Sapiro <mark(a)msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

1 2

Mailman 2.1 security release
by Mark Sapiro 06 Nov '21

06 Nov '21

Two new security issues have been reported in Mailman 2.1. These have been given the IDs CVE-2021-43331 and CVE-2021-43332. I plan to release 2.1.36 with full details this Friday, November 12. At that time the vulnerabilities will be made public and patches will also be made available. -- Mark Sapiro <mark(a)msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

1 0