[Mailman-Users] security heads up - path traversal with 2.1.5

Brad Knowles brad at stop.mail-abuse.org
Thu Feb 10 02:32:18 CET 2005

At 12:31 AM +0100 2005-02-10, Kai Schaetzl wrote:

>>  Either way, something like this should have been left to the project
>>  developers (i.e. barry) to disclose.
>  Correct. But it's out and it's not Ron to blame, so I don't see a reason
>  for slapping Ron for posting it finally to the list.

	There are two sides to this matter.  You are correct, that the 
public posting has been made, and the blackhats presumably already 
know about it.  They're more likely to be monitoring the 
full-disclosure list than this one, anyway.

	However, I also take Chuq's point that all security announcements 
to this list, and all related mailman mailing lists hosted on 
python.org, should be made by Barry or one of the other core 
developers.  Even if the information has been publicly released 
elsewhere, it is not appropriate to post it here unless you are one 
of those people.

Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.

More information about the Mailman-Users mailing list