[Mailman-Users] RELEASE Mailman 2.0.7

Barry A. Warsaw barry at zope.com
Sat Nov 10 18:19:50 CET 2001

>>>>> "RB" == Robert Benites <benites at cs.unca.edu> writes:

    RB> Thanks for the 2.0.7 upgrade.

You're welcome!

    RB> I'm curious about your mention of problems related to Python
    RB> 1.5.2 and pre 2.0.7 Mailman. Your announcement indicates 2.0.7
    RB> fixes the vulnerability.

Right.  Python 1.5.2 had a bug in its pickle module that could crash
the interpreter when given a particular string to unpickle.  That
crash is fixed in subsequent versions of Python (in fact I believe the
Python 1.6 release had the fix).

However, it is /still/ possible to trick Python's pickle module into
running arbitrary class initializers, and that could potentially be a
security hole as well.  Personally, I believe this is a vulnerability
of the Cookie module, not the pickle module, since the former is using
the latter on untrusted strings.

Because Mailman's cookie use in no way depends on Cookie's "helpful"
use of unpickling, the Mailman 2.0.7 code simply disables this
convenience.  Internally, Mailman uses marshal to de-serialize the
data encoded in the pickle, and I believe that since marshal only
deals with primitive types, we should be safe.

    RB> Would you recommend an upgrade to a newer version of Python:
    RB> 2.1.1 for instance? If yes, do you have suggestions about the
    RB> upgrade path which should be used. I assume that a newer
    RB> version of Python should be installed, then should Mailman be
    RB> re-installed?

Upgrading Python is a good idea, but probably not enough to close all
the holes.  It's still possible that Mailman 2.1 will require at least
Python 2.1.1 -- I'm still leaving open the possibility that I won't
support Python 2.0.

If you do upgrade, my suggestion would be to upgrade Mailman to 2.0.7
first, then upgrade Python.  Make backups! :)


More information about the Mailman-Users mailing list