Hi all,
I'm releasing Mailman 2.0.7 which fixes two potential, though obscure security or denial-of-service attacks, along with a few other minor bug fixes. Details:
If you are running Python 1.5.2, it is possible for someone to carefully craft some cookie data, and then trick Mailman into accepting that data, that will crash your Python interpreter.
If you are not running Python 1.5.2, you should be invulnerable to the crash, however it is still possible for someone to even more carefully craft some cookie data that could cause arbitrary class constructors to be executed on the server.
While I believe it is difficult to exploit this, Mailman 2.0.7 closes this hole completely, by disabling the Cookie.py module's default unpickling of cookie data.
It is possible that Mailman's bounce handler could receive a bounce message that looked like a DSN report, but was incorrectly formatted. Under Mailman 2.0.6's bounce detector, you would get a traceback for a message that would never be removed from the queue, thus potentially wedging your qrunner until the offending message was manually deleted.
Mailman 2.0.7 fixes the DSN.py bounce detector.
There are a few other useful bug fixes in this release, described in the NEWS excerpt below. I recommend anybody running a version of Mailman up to, and including 2.0.6 to upgrade to 2.0.7.
I'm releasing this version only as a tarball -- no patch file is provided at this time. As of this moment, only the SourceForge site is up-to-date, although I expect www.list.org and www.gnu.org to follow soon. The release information is available on SourceForge at:
http://sourceforge.net/project/shownotes.php?release_id=60758and the file can be downloaded from:
http://sourceforge.net/project/showfiles.php?group_id=103&release_id=60758See also:
http://www.gnu.org/software/mailman
http://www.list.org
http://mailman.sf.netCheers -Barry
-------------------- snip snip -------------------- 2.0.7 (09-Nov-2001)
Security fixes:
- Closed a hole in cookie management whereby some carefully
crafted untrusted cookie data could crash Mailman if used with
Python 1.5.2, or cause some unintended class constructors to be
run on the server.
- In the DSN.py bounce handler, a message that was DSN-like, but
which was missing a "report-type" parameter could cause a
non-deletable bounce message to crash Mailman forever, requiring
manual intervention.
Bug fixes:
- Stray % signs in headers and footers could cause crashes. Now
they'll just cause an [INVALID HEADER] or [INVALID FOOTER]
string to be added.
- The mail->news gateway has been made more robust in the face of
duplicate headers, and reserved headers that some news servers
reject. If the message is still rejected, it is saved in
$prefix/nntp instead of discarded.
- Hand-crafted invalid chunk number in membership management
display could cause a traceback.
Barry,
Thanks for the 2.0.7 upgrade.
I'm curious about your mention of problems related to Python 1.5.2 and pre 2.0.7 Mailman. Your announcement indicates 2.0.7 fixes the vulnerability.
Would you recommend an upgrade to a newer version of Python: 2.1.1 for instance? If yes, do you have suggestions about the upgrade path which should be used. I assume that a newer version of Python should be installed, then should Mailman be re-installed?
Thanks...
-- Bob
"RB" == Robert Benites <benites@cs.unca.edu> writes:
RB> Thanks for the 2.0.7 upgrade.You're welcome!
RB> I'm curious about your mention of problems related to Python
RB> 1.5.2 and pre 2.0.7 Mailman. Your announcement indicates 2.0.7
RB> fixes the vulnerability.Right. Python 1.5.2 had a bug in its pickle module that could crash the interpreter when given a particular string to unpickle. That crash is fixed in subsequent versions of Python (in fact I believe the Python 1.6 release had the fix).
However, it is /still/ possible to trick Python's pickle module into running arbitrary class initializers, and that could potentially be a security hole as well. Personally, I believe this is a vulnerability of the Cookie module, not the pickle module, since the former is using the latter on untrusted strings.
Because Mailman's cookie use in no way depends on Cookie's "helpful" use of unpickling, the Mailman 2.0.7 code simply disables this convenience. Internally, Mailman uses marshal to de-serialize the data encoded in the pickle, and I believe that since marshal only deals with primitive types, we should be safe.
RB> Would you recommend an upgrade to a newer version of Python:
RB> 2.1.1 for instance? If yes, do you have suggestions about the
RB> upgrade path which should be used. I assume that a newer
RB> version of Python should be installed, then should Mailman be
RB> re-installed?Upgrading Python is a good idea, but probably not enough to close all the holes. It's still possible that Mailman 2.1 will require at least Python 2.1.1 -- I'm still leaving open the possibility that I won't support Python 2.0.
If you do upgrade, my suggestion would be to upgrade Mailman to 2.0.7 first, then upgrade Python. Make backups! :)
-Barry
participants (2)
-
barry@zope.com -
Robert Benites