[Mailman-Developers] Re: [Mailman-Announce] RELEASE Mailman 2.0.7

Roy Harvey roy@lamrim.com
Thu, 15 Nov 2001 18:48:33 -0800

Barry --

Thanks for the update, I haven't pulled the newest version, but wanted to
alert you to a possible bug:

	List-Help: <mailto:lamrim-request@lamrim.com?subject=help>
	List-Post: <mailto:lamrim@lamrim.com>
	List-Subscribe: <http://www.lamrim.com/mailman/listinfo/lamrim>,
	List-Id: Lam Rim Radio Mailing List <lamrim.lamrim.com>
	List-Unsubscribe: <http://www.lamrim.com/mailman/listinfo/lamrim>,
	List-Archive: <http://www.lamrim.com/mailman/private//lamrim/>

Please note the last line URL with the double "/" after private.

Thanks again for the great software!


At 05:41 PM 11/9/01 -0500, you wrote:
>Hi all,
>I'm releasing Mailman 2.0.7 which fixes two potential, though obscure
>security or denial-of-service attacks, along with a few other minor
>bug fixes.  Details:
>- If you are running Python 1.5.2, it is possible for someone to
>  carefully craft some cookie data, and then trick Mailman into
>  accepting that data, that will crash your Python interpreter.
>  If you are not running Python 1.5.2, you should be invulnerable to
>  the crash, however it is still possible for someone to even more
>  carefully craft some cookie data that could cause arbitrary class
>  constructors to be executed on the server.
>  While I believe it is difficult to exploit this, Mailman 2.0.7
>  closes this hole completely, by disabling the Cookie.py module's
>  default unpickling of cookie data.
>- It is possible that Mailman's bounce handler could receive a bounce
>  message that looked like a DSN report, but was incorrectly
>  formatted.  Under Mailman 2.0.6's bounce detector, you would get a
>  traceback for a message that would never be removed from the queue,
>  thus potentially wedging your qrunner until the offending message
>  was manually deleted.
>  Mailman 2.0.7 fixes the DSN.py bounce detector.
>There are a few other useful bug fixes in this release, described in
>the NEWS excerpt below.  I recommend anybody running a version of
>Mailman up to, and including 2.0.6 to upgrade to 2.0.7.
>I'm releasing this version only as a tarball -- no patch file is
>provided at this time.  As of this moment, only the SourceForge site
>is up-to-date, although I expect www.list.org and www.gnu.org to
>follow soon.  The release information is available on SourceForge at:
>    http://sourceforge.net/project/shownotes.php?release_id=60758
>and the file can be downloaded from:
>See also:
>    http://www.gnu.org/software/mailman
>    http://www.list.org
>    http://mailman.sf.net
>-------------------- snip snip --------------------
>2.0.7 (09-Nov-2001)
>    Security fixes:
>    - Closed a hole in cookie management whereby some carefully
>      crafted untrusted cookie data could crash Mailman if used with
>      Python 1.5.2, or cause some unintended class constructors to be
>      run on the server.
>    - In the DSN.py bounce handler, a message that was DSN-like, but
>      which was missing a "report-type" parameter could cause a
>      non-deletable bounce message to crash Mailman forever, requiring
>      manual intervention.
>    Bug fixes:
>    - Stray % signs in headers and footers could cause crashes.  Now
>      they'll just cause an [INVALID HEADER] or [INVALID FOOTER]
>      string to be added.
>    - The mail->news gateway has been made more robust in the face of
>      duplicate headers, and reserved headers that some news servers
>      reject.  If the message is still rejected, it is saved in
>      $prefix/nntp instead of discarded.
>    - Hand-crafted invalid chunk number in membership management
>      display could cause a traceback.
>Mailman-announce mailing list