[Mailman-Developers] Re: [Mailman-Announce] RELEASE Mailman 2.0.7
Thu, 15 Nov 2001 18:48:33 -0800
Thanks for the update, I haven't pulled the newest version, but wanted to
alert you to a possible bug:
List-Id: Lam Rim Radio Mailing List <lamrim.lamrim.com>
Please note the last line URL with the double "/" after private.
Thanks again for the great software!
At 05:41 PM 11/9/01 -0500, you wrote:
>I'm releasing Mailman 2.0.7 which fixes two potential, though obscure
>security or denial-of-service attacks, along with a few other minor
>bug fixes. Details:
>- If you are running Python 1.5.2, it is possible for someone to
> carefully craft some cookie data, and then trick Mailman into
> accepting that data, that will crash your Python interpreter.
> If you are not running Python 1.5.2, you should be invulnerable to
> the crash, however it is still possible for someone to even more
> carefully craft some cookie data that could cause arbitrary class
> constructors to be executed on the server.
> While I believe it is difficult to exploit this, Mailman 2.0.7
> closes this hole completely, by disabling the Cookie.py module's
> default unpickling of cookie data.
>- It is possible that Mailman's bounce handler could receive a bounce
> message that looked like a DSN report, but was incorrectly
> formatted. Under Mailman 2.0.6's bounce detector, you would get a
> traceback for a message that would never be removed from the queue,
> thus potentially wedging your qrunner until the offending message
> was manually deleted.
> Mailman 2.0.7 fixes the DSN.py bounce detector.
>There are a few other useful bug fixes in this release, described in
>the NEWS excerpt below. I recommend anybody running a version of
>Mailman up to, and including 2.0.6 to upgrade to 2.0.7.
>I'm releasing this version only as a tarball -- no patch file is
>provided at this time. As of this moment, only the SourceForge site
>is up-to-date, although I expect www.list.org and www.gnu.org to
>follow soon. The release information is available on SourceForge at:
>and the file can be downloaded from:
>-------------------- snip snip --------------------
> Security fixes:
> - Closed a hole in cookie management whereby some carefully
> crafted untrusted cookie data could crash Mailman if used with
> Python 1.5.2, or cause some unintended class constructors to be
> run on the server.
> - In the DSN.py bounce handler, a message that was DSN-like, but
> which was missing a "report-type" parameter could cause a
> non-deletable bounce message to crash Mailman forever, requiring
> manual intervention.
> Bug fixes:
> - Stray % signs in headers and footers could cause crashes. Now
> they'll just cause an [INVALID HEADER] or [INVALID FOOTER]
> string to be added.
> - The mail->news gateway has been made more robust in the face of
> duplicate headers, and reserved headers that some news servers
> reject. If the message is still rejected, it is saved in
> $prefix/nntp instead of discarded.
> - Hand-crafted invalid chunk number in membership management
> display could cause a traceback.
>Mailman-announce mailing list