Hi all,
I'm releasing Mailman 2.0.7 which fixes two potential, though obscure security or denial-of-service attacks, along with a few other minor bug fixes. Details:
If you are running Python 1.5.2, it is possible for someone to carefully craft some cookie data, and then trick Mailman into accepting that data, that will crash your Python interpreter.
If you are not running Python 1.5.2, you should be invulnerable to the crash, however it is still possible for someone to even more carefully craft some cookie data that could cause arbitrary class constructors to be executed on the server.
While I believe it is difficult to exploit this, Mailman 2.0.7 closes this hole completely, by disabling the Cookie.py module's default unpickling of cookie data.
It is possible that Mailman's bounce handler could receive a bounce message that looked like a DSN report, but was incorrectly formatted. Under Mailman 2.0.6's bounce detector, you would get a traceback for a message that would never be removed from the queue, thus potentially wedging your qrunner until the offending message was manually deleted.
Mailman 2.0.7 fixes the DSN.py bounce detector.
There are a few other useful bug fixes in this release, described in the NEWS excerpt below. I recommend anybody running a version of Mailman up to, and including 2.0.6 to upgrade to 2.0.7.
I'm releasing this version only as a tarball -- no patch file is provided at this time. As of this moment, only the SourceForge site is up-to-date, although I expect www.list.org and www.gnu.org to follow soon. The release information is available on SourceForge at:
http://sourceforge.net/project/shownotes.php?release_id=60758and the file can be downloaded from:
http://sourceforge.net/project/showfiles.php?group_id=103&release_id=60758See also:
http://www.gnu.org/software/mailman
http://www.list.org
http://mailman.sf.netCheers -Barry
-------------------- snip snip -------------------- 2.0.7 (09-Nov-2001)
Security fixes:
- Closed a hole in cookie management whereby some carefully
crafted untrusted cookie data could crash Mailman if used with
Python 1.5.2, or cause some unintended class constructors to be
run on the server.
- In the DSN.py bounce handler, a message that was DSN-like, but
which was missing a "report-type" parameter could cause a
non-deletable bounce message to crash Mailman forever, requiring
manual intervention.
Bug fixes:
- Stray % signs in headers and footers could cause crashes. Now
they'll just cause an [INVALID HEADER] or [INVALID FOOTER]
string to be added.
- The mail->news gateway has been made more robust in the face of
duplicate headers, and reserved headers that some news servers
reject. If the message is still rejected, it is saved in
$prefix/nntp instead of discarded.
- Hand-crafted invalid chunk number in membership management
display could cause a traceback.
"BAW" == Barry A Warsaw <barry@zope.com> writes:
I'm releasing Mailman 2.0.7 which fixes two potential, though obscure security or denial-of-service attacks, along with a few other minor bug fixes. Details:
Hello. Remember me? I nagged you a few months ago about getting some code we had written into Mailman. I got the impression that I'd hear from you or the FSF again regarding giving the copyright to the FSF, but I haven't heard anything so far. Did the issue fall by the wayside, or did something go wrong? Is it still any point in giving you code that was written for 2.0?
Calle Dybedahl | UNIX-admin | Telenordia Internet | cdy@algonet.se
Barry --
Thanks for the update, I haven't pulled the newest version, but wanted to alert you to a possible bug:
List-Help: <mailto:lamrim-request@lamrim.com?subject=help>
List-Post: <mailto:lamrim@lamrim.com>
List-Subscribe: <http://www.lamrim.com/mailman/listinfo/lamrim>,
<mailto:lamrim-request@lamrim.com?subject=subscribe>
List-Id: Lam Rim Radio Mailing List <lamrim.lamrim.com>
List-Unsubscribe: <http://www.lamrim.com/mailman/listinfo/lamrim>,
<mailto:lamrim-request@lamrim.com?subject=unsubscribe>
List-Archive: <http://www.lamrim.com/mailman/private//lamrim/>Please note the last line URL with the double "/" after private.
Thanks again for the great software!
Roy
At 05:41 PM 11/9/01 -0500, you wrote:
Hi all,
I'm releasing Mailman 2.0.7 which fixes two potential, though obscure security or denial-of-service attacks, along with a few other minor bug fixes. Details:
- If you are running Python 1.5.2, it is possible for someone to carefully craft some cookie data, and then trick Mailman into accepting that data, that will crash your Python interpreter.
If you are not running Python 1.5.2, you should be invulnerable to the crash, however it is still possible for someone to even more carefully craft some cookie data that could cause arbitrary class constructors to be executed on the server.
While I believe it is difficult to exploit this, Mailman 2.0.7 closes this hole completely, by disabling the Cookie.py module's default unpickling of cookie data.
- It is possible that Mailman's bounce handler could receive a bounce message that looked like a DSN report, but was incorrectly formatted. Under Mailman 2.0.6's bounce detector, you would get a traceback for a message that would never be removed from the queue, thus potentially wedging your qrunner until the offending message was manually deleted.
Mailman 2.0.7 fixes the DSN.py bounce detector.
There are a few other useful bug fixes in this release, described in the NEWS excerpt below. I recommend anybody running a version of Mailman up to, and including 2.0.6 to upgrade to 2.0.7.
I'm releasing this version only as a tarball -- no patch file is provided at this time. As of this moment, only the SourceForge site is up-to-date, although I expect www.list.org and www.gnu.org to follow soon. The release information is available on SourceForge at:
http://sourceforge.net/project/shownotes.php?release_id=60758
and the file can be downloaded from:
http://sourceforge.net/project/showfiles.php?group_id=103&release_id=60758
See also:
http://www.gnu.org/software/mailman http://www.list.org http://mailman.sf.net
Cheers -Barry
-------------------- snip snip -------------------- 2.0.7 (09-Nov-2001)
Security fixes:
Closed a hole in cookie management whereby some carefully crafted untrusted cookie data could crash Mailman if used with Python 1.5.2, or cause some unintended class constructors to be run on the server.
In the DSN.py bounce handler, a message that was DSN-like, but which was missing a "report-type" parameter could cause a non-deletable bounce message to crash Mailman forever, requiring manual intervention.
Bug fixes:
Stray % signs in headers and footers could cause crashes. Now they'll just cause an [INVALID HEADER] or [INVALID FOOTER] string to be added.
The mail->news gateway has been made more robust in the face of duplicate headers, and reserved headers that some news servers reject. If the message is still rejected, it is saved in $prefix/nntp instead of discarded.
Hand-crafted invalid chunk number in membership management display could cause a traceback.
Mailman-announce mailing list Mailman-announce@python.org http://mail.python.org/mailman/listinfo/mailman-announce
Dear Barry --
Is there a way to remove individual messages from the archives?
Thanks,
Roy
On Thu, Nov 22, 2001 at 07:23:52PM -0800, Roy Harvey wrote:
Dear Barry -- Is there a way to remove individual messages from the archives? Thanks, Roy
When I've had to do this, I just go edit that HTML file by hand and replace the message text with "THIS MESSAGE HAS BEEN REMOVED".
Had a couple of "for sale" posts that kept coming up in Google and I kept getting email from people a year later (almost one a day!) about "do you still have your X10 stuff for sale?" I finally went in and put this in the message archive HTML:
<h1> THIS ITEM IS NO LONGER FOR SALE. DONT EMAIL ME ABOUT IT </h1>
Couple of days later, the emails stopped. 8-)
Bill
-- Bill Bradford mrbill@mrbill.net Austin, TX
participants (4)
-
barry@zope.com -
Bill Bradford -
Calle Dybedahl -
Roy Harvey