[Mailman-Developers] Re: Security

[barry@wooz.org]

>>>>> "JCL" == J C Lawrence <claw@kanga.nu> writes:

    JCL> A week or so ago (right about the time I dissappeared) I had
    JCL> a drive die on the system I run Mailman from.  I thought
    JCL> replacing the drive and restoring its contents from backups
    JCL> would be enough.  It wasn't.  It turns out that in dieing
    JCL> several other filesystems were corrupted in various odd and
    JCL> inelegant fashions (encluding both my tripwire DB and its
    JCL> backup sod it).

    JCL> This has left me in an odd position:

    JCL>   If I post to a specific list, or approve a held post for
    JCL> that list, there is an 80% chance that this will crash the
    JCL> machine (compleat lock, no interrupts, no useful log entries.

    JCL>   This is reproducable.  I've done it a great many times --
    JCL> enough to wish I had a watchdog card in that machine.  Its
    JCL> also rather scary -- Mailman is running as a non-privileged
    JCL> user after all.

    JCL> As part of the recovery I've re-installed every single binary
    JCL> on the entire system (encluding Python et al).  The one thing
    JCL> I haven't reinstalled is Mailman (v1.1).  I also haven't
    JCL> dissembled or rebuilt the config.db's for the crashing lists.

    JCL> Interested in the relevant files?  I'll be saving everything
    JCL> off (of course), but I doubt I'll have time in the near
    JCL> future to disect this.

I'm not sure what I can do, because I currently have no way of running
Mailman 1.1.  I could take your files and upgrade them to 2.0 and see
what happens, but I'd be surprised if I get the same hard crash.

As you say, Mailman isn't doing anything special and has no special
privs.  How could that crash or hang your system?  Maybe it's tripping
a bug in your MTA, web server, or OS.  What flavors and versions of
those do you run?

Very odd.

-Barry