[Mailman-Users] security heads up - path traversal with 2.1.5
Chuq Von Rospach
chuqui at plaidworks.com
Wed Feb 9 21:47:34 CET 2005
If Barry didn't know about it, disclosing it without his approval was
if barry DID know, and hadn't done the disclosure himself, doing it
without his approval was wrong, because Barry likely had a reason why
he hadn't mentioned it yet.
Either way, something like this should have been left to the project
developers (i.e. barry) to disclose.
Some of the mailman team knew about this (I did), and it's been
actively worked on. One reason it wsan't announced here before was
because the problem was in very limited distribution publically, and
putting it on THIS list before the formal patches are ready is a great
way to teach everyone who didn't come up with the attack what it is,
while mailman sites don't have a patch to solve it. Before, only a few
people knew about it (including, obviously, some blackhats). now, lots
of folks do. That makes life worse, not better, for lots of us.
And, FWIW, there are still some questions about who exactly is
vulnerable and who isn't, because not everyone can reproduce the
problem -- it seems to tie into multiple factors, nad it'd be nice if
we knew who really had to worry...
but for now, everyone has to, since it was brought forward before
everything was ready.
On Feb 9, 2005, at 12:08 PM, Ron Brogden wrote:
> Hello Brad. I was under the impression that the Mailman team already
> about this issue which is why I didn't go through the above procedure.
More information about the Mailman-Users