Security patch and Mailman 2.1.20 to be released on 31 March
A security vulnerability in Mailman has been found and fixed. It has been assigned CVE-2015-2775. The details of this vulnerability and fix will be announced next Tuesday, 31 March 2015, at which time both a patch for this specific vulnerability and Mailman 2.1.20 will be released.
In addition to this security fix, Mailman 2.1.20 includes a new feature allowing a list owner to change a list member's address through the admin Membership Management... Section, and a couple of minor bug fixes.
The new feature is a fix for <https://launchpad.net/bugs/266809>.
The bugs fixed are: <https://launchpad.net/bugs/1426825>, <https://launchpad.net/bugs/1426829> and <https://launchpad.net/bugs/1427389>.
The security vulnerability, the details of which are currently private, is <https://launchpad.net/bugs/1437145>.
The security vulnerability only affects those installations which use Exim, Postfix's postfix_to_mailman.py or similar programmatic (not aliases) MTA delivery to Mailman, and have untrusted local users on the Mailman server.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 03/27/2015 02:42 PM, Mark Sapiro wrote:
A security vulnerability in Mailman has been found and fixed. It has been assigned CVE-2015-2775. The details of this vulnerability and fix will be announced next Tuesday, 31 March 2015, at which time both a patch for this specific vulnerability and Mailman 2.1.20 will be released.
Here is more information. The report at <https://launchpad.net/bugs/1437145> is now public.
Your installation is only vulnerable if both of the following are true.
Delivery of list mail to mailman from the MTA uses some kind of programmatic method as opposed to fixed aliases. This includes Exim with the recommended transport, Postfix with the postfix_to_mailman.py transport and qmail with the qmail-to-mailman.py transport.
Untrusted users are able to create files on the Mailman server that are accessible to Mailman. These can be in a user's home directory or /tmp or anywhere that can be accessed via a path like /path/to/mailman/lists/../../../../../../../../path/to/directory.
Installations most at risk likely include hosting services using cPanel with untrusted users. Outside of those, the majority of sites are probably not vulnerable.
This vulnerability is fixed by the patch in the attached file. This patch will apply with at most a line number offset to the Utils.py module in any Mailman 2.1.x version that doesn't already have it. If your Mailman version is 2.1.11 or later, just apply the patch to Mailman/Utils.py and restart Mailman. For versions older than 2.1.11, the setting mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS referenced in the patch doesn't exist, so you also need to add
ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]'
to Defaults.py or mm_cfg.py before restarting Mailman.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (1)
-
Mark Sapiro