On 03/27/2015 02:42 PM, Mark Sapiro wrote:
A security vulnerability in Mailman has been found and fixed. It has been assigned CVE-2015-2775. The details of this vulnerability and fix will be announced next Tuesday, 31 March 2015, at which time both a patch for this specific vulnerability and Mailman 2.1.20 will be released.
Here is more information. The report at https://launchpad.net/bugs/1437145 is now public.
Your installation is only vulnerable if both of the following are true.
1) Delivery of list mail to mailman from the MTA uses some kind of programmatic method as opposed to fixed aliases. This includes Exim with the recommended transport, Postfix with the postfix_to_mailman.py transport and qmail with the qmail-to-mailman.py transport.
2) Untrusted users are able to create files on the Mailman server that are accessible to Mailman. These can be in a user's home directory or /tmp or anywhere that can be accessed via a path like /path/to/mailman/lists/../../../../../../../../path/to/directory.
Installations most at risk likely include hosting services using cPanel with untrusted users. Outside of those, the majority of sites are probably not vulnerable.
This vulnerability is fixed by the patch in the attached file. This patch will apply with at most a line number offset to the Utils.py module in any Mailman 2.1.x version that doesn't already have it. If your Mailman version is 2.1.11 or later, just apply the patch to Mailman/Utils.py and restart Mailman. For versions older than 2.1.11, the setting mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS referenced in the patch doesn't exist, so you also need to add
ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]'
to Defaults.py or mm_cfg.py before restarting Mailman.